Use Referer to prevent picture hotlinking

When the browser to send a request to the Web server, usually bring referer, tell the server I was from which page chain, the server can get some information for processing, but this referer can be forged, the following look at an example, we will understand

What is HTTP Referer

In short, HTTP Referer is part of the header, and when the browser sends a request to the Web server, it usually takes a referer to tell the server where I came from, and the server can get some information for processing. For example, from my home page to link to a friend there, his server can be from the HTTP Referer to count the number of users per day to click on my home page links to visit his site.

Referer in fact should be the English word referrer, but misspelled too many people, so the people who write standards are mistake.

My question.

I have just changed the feed reader to Gregarius, but he is not like I used to Liferea, visit Sina Blog, can not show the picture, hint "This picture is limited to Sina Blog user communication and communication", I know, this is the result of HTTP Referer.

Because I am the particularity of the Internet client configuration, the first suspicion is squid problem, but through the experiment ruled out, but at the same time found a squid and Tor, Privoxy collaborative use of privacy disclosure problem, left to study later.

Can Gregarius handle the problem?

The answer is no, because Gregarius is only responsible for outputting HTML code, and access to the image is requested by the client browser to the server.

However, installing a Firefox extension may solve the problem, the recommended "Send referrer" I did not find, but found another available: "Refcontrol", according to the different access to the site, control the use of different referer.

But I don't like to use Firefox extensions to solve problems, because I think he is too inefficient, so I--privoxy in a better way.

Privoxy's great.

Add two lines to the Privoxy default.action:

{+hide-referrer{forge}}

. album.sina.com.cn

So the picture of Sina blog in Gregarius is out? +hide-referrer is a privoxy filter that sets the way to handle HTTP referer when accessing, and the Forge Representative uses the access address as the refere, and can also be replaced with block, which represents the cancellation of Referer, Or write the Referer URL that you want to use here.

Using Privoxy is much simpler than using Firefox, so change it quickly.

From HTTPS to HTTP

I also found that when I accessed a link from an HTTPS page to an unencrypted HTTP page, I couldn't check the HTTP referer on the HTTP page, for example, when I clicked the WWW XHTML verification icon below my HTTPS page (URL is http:// Validator.w3.org/check?uri=referer), never complete the checksum, prompting:

No Referer Header found!

Originally, it is defined in the RFC document of the HTTP protocol:

The code is as follows:

15.1.3 Encoding sensitive information in URI ' s

Clients SHOULD not include a Referer header field in a (non-secure)

HTTP request if the referring page is transferred with a secure

Protocol.

This is for security reasons, when access to unencrypted pages, if the source is an encrypted page, the client does not send Referer,ie has always been so implemented, Firefox browser is no exception. However, this does not affect access from encrypted pages to encrypted pages.

Firefox about referer settings

All in, there are two key values:

Network.http.sendRefererHeader (default=2) Set referer send mode, 0 for completely do not send, 1 for only click on the link to send, in the page to access the image of what the time does not send, 2 to always send. See Privacy Tip #3: Block Referer Headers in Firefox

Network.http.sendSecureXSiteReferrer (default=true) setting whether to send referer,true to send when accessing another encrypted page from an encrypted page, false to not send.

Use Referer to prevent picture hotlinking

Although Referer is not reliable, but to prevent the picture hotlinking is enough, after all, not everyone will modify the configuration of the client. Implementation is generally through the Apache configuration file, first set to allow access to the address, marked down:

# only allow access from don.com, the picture may be placed on the page of the don.com site

Setenvifnocase Referer "^http://www.don.com/" Local_ref

# Direct access via address

Setenvif Referer "^$" Local_ref

It then stipulates that the access marked is allowed:

The code is as follows:

<filesmatch ". (gif|jpg) ">

Order Allow,deny

Allow from Env=local_ref

</FilesMatch>

Or

The code is as follows:

<Directory/web/images>

Order Deny,allow

Deny from all

Allow from Env=local_ref

</Directory>

Don't use rerferer places.

Don't use Rerferer for authentication or other very important checks, because Rerferer is very easy to change on the client, either through the Firefox extensions described above, or privoxy, or even libcurl calls, So the rerferer data is incredibly unreliable.

If you want to limit the user's access to an entry page, instead of using Referer, use session, write sessions on the entry page, and then check on other pages, and if the user does not have access to the entry page, then the corresponding conversation does not exist, see the discussion here. However, as mentioned above, do not believe too much in this way of "validation" results.

Personal feeling now rerferer in addition to use in the Anti-Theft chain, the most other uses is access statistics, such as statistics users are from where the link to visit and so on.

Http-referer This variable has become increasingly unreliable, is completely can be forged out of the Dongdong.

The following is a forgery method:

PHP (provided the curl is installed):

The code is as follows:

$ch = Curl_init ();

curl_setopt ($ch, Curlopt_url, "http://www.d.cn/xxx.asp");

curl_setopt ($ch, Curlopt_referer, "http://www.d.cn/");

Curl_exec ($ch);

Curl_close ($ch);

PHP (not installed curl with sock)

$server = ' www.dc9.cn ';

$host = ' www.dc9.cn ';

$target = '/xxx.asp ';

$referer = ' http://www.d.cn/'; Referer

$port = 80;

$fp = Fsockopen ($server, $port, $errno, $errstr, 30);

if (! $fp)

{

echo "$errstr ($errno) <br/>n";

}

Else

{

$out = "Get $target http/1.1rn";

$out. = "Host: $hostrn";

$out. = "COOKIE:ASPSESSIONIDSQTBQSDA=DFCAPKLBBFICDAFMHNKIGKEGRN";

$out. = "Referer: $refererrn";

$out. = "Connection:closernrn";

Fwrite ($fp, $out);

while (!feof ($FP))

{

Echo fgets ($FP, 128);

}

Fclose ($FP);

}

Javascript

Xmlhttp.setrequestheader ("Referer", "Http://URL");/hehe ~ fake ~

JS does not support ^_^

The principle is that sock constructs HTTP headers to SendData. Other languages, like Perl, you know,

At present, the simpler way to defend against forgery Referer is to use the verification Code (session).

Now there are some commercial companies that can use anti-theft chain software, such as Uudog,linkgate,virtualwall, are the DLLs that are developed to be applied to IIS.

Some use cookies to verify, thread control, some can randomly generate file names and do URL rewrite. Some methods can indeed achieve a good result.

However, while, outsmart, these tricks after all, there is a way to crack.

The general is the case, but the server is not good to achieve forgery, can only make a few data, if you can achieve access to the Web page can be forged, it can achieve real forgery, the realization of natural IP distribution.