How can I prevent hot-linking to my files in public storage?

Question

I have an NGINX server(with a wordpress site) and use Google Cloud Storage to feed my content. I have noticed sites hot-linking to my files without any attribution.

I suppose I need:

1. to make my links expire after a while so that the are no good after a while
2. for my wordpress site to pass an AUTH TOKEN to permit access to my files
3. for my google cloud storage not to feed a file unless its coming from the correct REFERRER?

How would someone accomplish this?

Answer 1

There are several methods of controlling access to GCS buckets and/or individual objects, you need to study them to see which one fits your case best. From Access Control Options:

You can control who has access to your Cloud Storage buckets and objects as well as what level of access they have. Below is a summary of the access control options available to you, along with links to learning more about each:

• Identity and Access Management (IAM) permissions: Grant access to buckets as well as bulk access to a bucket's objects. IAM permissions give you broad control over your projects and buckets, but not fine-grained control over individual objects. For a reference of IAM permissions and roles specific to Cloud Storage, as well as which permissions allow users to run JSON and XML methods on buckets and objects, see the IAM Reference pages. To learn how to use IAM permissions, see Using IAM Permissions.

• Access Control Lists (ACLs): Grant read or write access to users for individual buckets or objects. In most cases, you should use IAM permissions instead of ACLs. Use ACLs only when you need fine-grained control over individual objects. To learn how to use ACLs, see Create and Manage Access Control Lists.

• Signed URLs (query string authentication): Give time-limited read or write access to an object through a URL you generate. Anyone with whom you share the URL can access the object for the duration of time you specify, regardless of whether or not they have a Google account. Learn how to create signed URLs:

  • with gsutil.
  • with a program.

• Signed Policy Documents: Specify what can be uploaded to a bucket. Policy documents allow greater control over size, content type, and other upload characteristics than signed URLs, and can be used by website owners to allow visitors to upload files to Google Cloud Storage.

• Firebase Security Rules: Provide granular, attribute-based access control to mobile and web apps using the Firebase SDKs for Cloud Storage. For example, you can specify who can upload or download objects, how large an object can be, or when an object can be downloaded.

These options are not mutually exclusive. For example, you can use ACLs to generally give private access to a bucket, but then create a signed URL or policy document that allows anyone you choose to access a resource within the bucket, bypassing the ACL mechanism.

Answer 2

Putting the following information in your .htaccess file

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?yourdomain.com [NC] 
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?yourdomain2.com [NC]
RewriteRule \.(jpg|jpeg|png|gif)$ http://hpmouse.googlepages.com/hotlink.gif [NC,R,L]

Line 2 & 3 Are sites that you want to allow linking your images. Line 4: File Formats to block linking