Best practice to prevent image hotlinking?


(ljpp) #1

I have images uploaded to S3 and CloudFlare enabled on my site. To my knowledge however, and correct me if I am wrong, the CloudFlare’s hotlink protection does not work due to the images being hosted on a different domain.

Any suggestions or example implementations? If the S3 bucket policy is the way to go, I would love to see a .json code example.


(Matt Palmer) #2

You’d want to talk to CloudFlare about that, presumably. There’s nothing Discourse-specific about hotlinking protection on S3.


(ljpp) #3

No, nothing Discourse specific. But many of us rely on S3, so I am interested in how people treat hotlinking — new stuff for me personally, so gotta learn. Useful for anyone using S3, as hotlinking will become an issue. It just a matter of time.


(Ron Dyar) #4

no idea how this works with CloudFlare, but an S3 bucket policy to do this checks the referer.

The code below has nothing to do with discourse, it is protecting some files in a special paid section of an old website I have.

{"Version":"2008-10-17",
"Id":"preventHotLinking",
"Statement":[
{"Sid":"1","Effect":"Allow","Principal":
{"AWS":"*"},"Action":"s3:GetObject",
"Resource":"arn:aws:s3:::downloads.ephotopros.com/*",
"Condition":{"StringLike":{"aws:Referer":
["http://dev.ephotopros.com/*","http://ephotopros.com.s3.amazonaws.com/*",
"http://ephotopros.com/*","http://s3.amazonaws.com/ephotopros.com/*",
"http://localhost:4000/*","http://prolabprints.com/*"]}}}]}

The files are served from the main domain, the downloads sub domain is just the bucket name on S3. So the referrer check needs to match where the files should be allowed to be served from.

Interesting that it looks like Referer is mis-spelled but that is working code.


(Michael Howell) #5