Is there is a secure way that makes an image allowed to display within a particular domain, and preventing it to be shown on any other website?
Asked
Active
Viewed 179 times
0
-
1No. What has this got to do with security? – symcbean Feb 06 '17 at 13:30
-
1I think we need to understand your situation better. What do you mean by "shown"? Do you want to prevent people from copying it and serving it from their site? Do you mean "hot linking"? – schroeder Feb 06 '17 at 13:58
-
I meant the both meanings – alg Feb 06 '17 at 15:18
1 Answers
1
There is the notion of a HTTP "referer" (originally a misspelling of "referrer") which your browser will send when requesting pages and assets (images, stylesheets etc). Some security products scrub this though (as a privacy risk) so if you're not willing to accept some false positives (users unable to see the images who should) then this would be a bad solution.
You could set it so the images are not revealed if the referring page is not your website/domain and can either do it:
- On the web-server if it supports it like using .htaccess permissions on Apache
Or
- You can have your images link to a script which will display the correct image if the referrer matches but send a different file if not (i.e. yoursite.com/showimage.php?image=holiday.jpg ) for instance, which would check the referrer in code and decide whether or not to show the image, see $_SERVER['HTTP_REFERER']; for PHP.
The HTTP REFERER is set by the user so can easily be forged so is not a good security mechanism for a determined attacker at all.. but should serve a useful purpose for most non-technical users where it is only your bandwidth you are trying to protect.
You can see what headers are set by your browser by clicking on this link which should show that you were directed to it via this site.
Matthew1471
- 1,124
- 10
- 14
-
Doesn't prevent anyone from downloading it and uploading to their server, or proxying via their server. – Matthew Feb 06 '17 at 13:47
-
Agreed. It's useless for any person who is fairly technically competent (and if it's been saved or transferred to somewhere else then all bets are off as it's outside your control!). Better than nothing but I make no promises this is more than security by obscurity. For some people this is all they want, depends on their risk management and perceived threat actors. If you were looking for something bullet-proof, then we start getting into the [Analog hole](https://en.wikipedia.org/wiki/Analog_hole) problem :). – Matthew1471 Feb 06 '17 at 13:48
-
"not a good security mechanism" Damn! Hopefully, I'm not on infosec exchange! Don't take it bad: there's actually no safe way to do what OP asks for. Once it's online, one cannot prevent it to be publicly shared. – Xenos Feb 06 '17 at 14:01
-
It is "a" security mechanism though.. just like locking your front door assists with preventing getting burgled ;-).. whether it's a good one or not is definitely a bigger discussion but not everyone who visits this site is looking for countering advanced persistent threats ;-). I also have given no illusion this is a fantastic solution and read the question as the user is trying to protect their site's bandwidth from hot-linkers not the images themselves. – Matthew1471 Feb 06 '17 at 14:03
-
Thank you for your answer, but as you mentioned, this is not a good security mechanism and I would like the image to be fully secure for a particular domain. what I want is that just like in Captcha services, for example the reCaptcha, that ensure a Captcha image is displayed for a particular domain, what is the mechanism that Google uses to do so?. – alg Feb 06 '17 at 15:18
-
I think even Google suffers from the [Analog hole](https://en.wikipedia.org/wiki/Analog_hole) problem. As Xenos said there is no entirely safe way to do what you have asked. – Matthew1471 Feb 06 '17 at 17:37