Tuesday, June 5, 2012

Block images, CSS or JS if the user did not visit my site


I suddenly get a lot of requests to my site (wget, curl etc...).



I do not want any of these request to be executed unless a user has visited my site at least once using a valid browser (like Firefox or Chrome).



Is there an Apache Module to do this? What can I do?



Thank you very much


Source: Tips4all

1 comment:

  1. The concept is simple: create a token that will be used in the files you want to protect. This
    This token (key like "abc123" - saved in the session, not cookies) will be used in every file you load.
    This way, if the token does not match from the file you can redirect to a page not found or access denied.

    Setup the token in the index.php:

    <?php
    session_start();
    header("Cache-Control: no-cache, must-revalidate");
    header("Expires: Mon, 10 Oct 2005 05:00:00 GMT");
    $_SESSION['siteToken'] = "abc123";
    ?>

    <html>
    <head>
    <link rel="stylesheet" type="text/css" href="/style.css" />
    </head>
    <body>


    Now for CSS and JavaScript files you need to check the token to make sure it's set and it's the right value.

    // style.css
    <?php
    session_start();
    header("Content-type: text/css");
    header("Cache-Control: no-cache, must-revalidate");
    header("Expires: Mon, 10 Oct 2005 05:00:00 GMT");
    if($_SESSION["siteToken"] != "abc123") {
    session_regenerate_id();
    die(); // or redirect
    }
    ?>
    body { background-color: #000; color: #fff; }
    etc...


    You do the same thing for the JavaScript file.

    The next step if you update your .htaccess to make sure the CSS and JavaScript file are parsed correctly:

    RewriteEngine on
    RewriteBase /
    RewriteRule style.css style.php [NC,L]


    In addition you can add this in your .htaccess to protect bad bots from querying files:

    SetEnvIfNoCase User-Agent "^Wget" bad_bot
    SetEnvIfNoCase User-Agent "^EmailSiphon" bad_bot
    SetEnvIfNoCase User-Agent "^EmailWolf" bad_bot
    SetEnvIfNoCase User-Agent "^libwww-perl" bad_bot
    #etc...
    Deny from env=bad_bot


    Now as for the images. This solution will work as well but it will be slower than parsing the CSS and JavaScript files.
    The logic is the same but instead of echoing you have to read the file (using readfile).
    Also, you have to change the header based on the extension of the file.

    The alternative for this will be to set this in your .htaccess file:

    RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?domain.com [NC]
    RewriteRule \.jpg$ - [NC,F,L]


    Although, this is not bulletproof.

    ReplyDelete