3

How does one prevent hotlinking of swf files from an Amazon S3 file system? Flash files don't send http referrers, so I've tried to set a bucket policy that restricts to certain referrers at Amazon, but no luck.

And this typical anti-hotlinking .htaccess at my server doesn't work:

RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?mysite.com [NC]
RewriteRule \.(jpg|jpeg|png|gif|swf)$ mysite.com/goaway.jpg [NC,R,L]

.htaccess and mod_rewrite does work OK for other things, like WordPress permalinks, so I don't think it's a shared hosting-wide problem with mod_rewrite.

Does the URL I'm using in the flash embed matter?: http://mybucketname.s3.amazonaws.com

markratledge
  • 499
  • 5
  • 13
  • 24

1 Answers1

3

The best way to do this is on your page have the code generate an S3 pre-signed URL that has a short lifetime. If, for example, the object is always downloaded in <60 seconds you can generate a signed URL that is valid for 60 seconds. The user can't reuse that same URL after 60 seconds is up. They would no longer be able to embed that object on their page as each request is only valid for 60 seconds.

You can read more about signed URLs here: http://docs.amazonwebservices.com/AmazonS3/latest/dev/ShareObjectPreSignedURL.html

Nathan V
  • 711
  • 5
  • 16