Hi

I want to stop direct download of videos file from my webiste folder. .htaccess is not working in godaddy windows server

Please help me.

eg: http://www.domain.com/folder/video.mp4
If paste the URL in the browser. it should not download the file from the server.

Hi,

I have few questions:

  1. in your tags there are PHP and database: how these are involved in this issue?
  2. The static files are served directly or by script?
  3. Are these files stored into a folder accessible from remote?
  4. Are you trying to block access to all static files or only some specific types?
  5. Are you using Apache or IIS? (You said you are on Windows but not which server you're using).

Thanks cereal

php with mssql.
Files are stored in folder and it was displayed from database.
Yes
Yes
server:      Microsoft-IIS/8.0

Ok with Microsoft-IIS/8.0 you can try to add a rewrite rule to your web.config file:

<rule name="Prevent image hotlinking">
    <match url=".*\.(gif|jpg|png)$"/>
    <conditions>
        <add input="{HTTP_REFERER}" pattern="^$" negate="true" />
        <add input="{HTTP_REFERER}" pattern="^http://site\.tld/.*$" negate="true" />
    </conditions>
    <action type="Rewrite" url="/images/say_no_to_hotlinking.jpg" />  
</rule>  

As explained here:

Note: I don't have much experience with IIS, so I cannot help much further, if you still need help wait for other daniwebers. Bye!

Thanks Cereal.
Sorry for late reply.

i will test

Member Avatar

Stupid question maybe but why use php mssql on iis instead.of LAMP?

If you're relying on the HTTP referrer header to prevent hot linking there are a couple of issues you might need to think about. The header can be spoofed. And it's not uncommon for the referrer to be blank, such as when someone bookmarks a resource.

I haven't attempted to block hot linking myself, but what I would try doing is setting a domain cookie so that at least you know they've visited your site. Then when they request the download, their browser will include the cookie in the request header, which you can test against.

If you need to protect resources more thoroughly, consider implementing a way for users to authenticate themselves, such as with a username and password, and/or restricting access by IP address.

thanks for all who helped me.