Prevent Flash file hotlinking from Amazon S3

Question

How does one prevent hotlinking of swf files from an Amazon S3 file system? Flash files don't send http referrers, so I've tried to set a bucket policy that restricts to certain referrers at Amazon, but no luck.

And this typical anti-hotlinking .htaccess at my server doesn't work:

RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?mysite.com [NC]
RewriteRule \.(jpg|jpeg|png|gif|swf)$ mysite.com/goaway.jpg [NC,R,L]

.htaccess and mod_rewrite does work OK for other things, like WordPress permalinks, so I don't think it's a shared hosting-wide problem with mod_rewrite.

Does the URL I'm using in the flash embed matter?: http://mybucketname.s3.amazonaws.com

@jayarjo: I never did. I ended up using a Wordpress plugin to secure the files and set access permissions at amazon. — markratledge, Aug 14 '12 at 17:05

score 3 · Answer 1 · answered Nov 27 '12 at 11:48

The best way to do this is on your page have the code generate an S3 pre-signed URL that has a short lifetime. If, for example, the object is always downloaded in <60 seconds you can generate a signed URL that is valid for 60 seconds. The user can't reuse that same URL after 60 seconds is up. They would no longer be able to embed that object on their page as each request is only valid for 60 seconds.

You can read more about signed URLs here: http://docs.amazonwebservices.com/AmazonS3/latest/dev/ShareObjectPreSignedURL.html

Prevent Flash file hotlinking from Amazon S3

1 Answers1