Just a quick post.
I've been thinking of image security lately, within the context on reading ebooks online.
Nothing online's going to be totally safe, but I have been thinking of better things I can do to protect an image on a website.
I've seen some sites that use image servers to protect access to the direct image, but if the image is called via the
![]()
tag, then all one has to do is use their browser's "Save web page complete" function.
I haven't investigated why, but calling an image via CSS' background-image property [http://www.w3schools.com/cssref/pr_background-image.asp] doesn't result in the image being downloaded via the browser.
I found a nice tutorial on "shrink wrapping" an image at http://skinnyartist.com/how-to-shrink-wrap-your-images/ [http://skinnyartist.com/how-to-shrink-wrap-your-images/].
On top of that I used an image proxy script to read and return the data for a given referring URL only and used htaccess to block ALL HTTP requests to images within a given folder.
Here's the link to the "demo": https://humaneguitarist.org/blog/uploads/image_proxy/index.php [https://humaneguitarist.org/blog/uploads/image_proxy/index.php]. If you can download the image by hook or crook, I'd appreciate a comment below on how it was done. So far, using just Firefox, I can go to "View Page Info>Media>Save As" and get it although that's hopefully a bit of a pain and, therefore, a deterrent.
The PHP image proxy script and .htaccess file codes are below.
image.php
<?php
function return_image($image_url, $referring_url, $url_prefix="", $fallback_image="") {
/* Takes an image located at ($url_prefix + $image_url) and returns the image data provided the
HTTP_REFERER is equal to $referring_url.
If the image does not exist it will fallback to the $fallback_image.
For the basic code related to proxying data in this way, see: "http://www.php.net/manual/en/function.fpassthru.php".
*/
// restrict access to image to $referring_url only.
if ($_SERVER["HTTP_REFERER"] != $referring_url) {
echo "You aren't allowed to see this image directly.";
exit;
}
$image_url = $url_prefix . $image_url;
$binary = Null;
// open the file only for .jpg. .gif, and .png files.
if (stripos($image_url, ".jpg") == True
|| stripos($image_url, ".gif") == True
|| stripos($image_url, ".png") == True) {
$binary = @fopen($image_url, "rb");
}
// use the fallback image if opening the file failed.
if (!$binary) {
$image_url = $fallback_image;
$binary = fopen($image_url, "rb");
}
// set the MIME type; send the image; stop the script.
$extension = substr($image_url, -3); //will not work with extensions over 3 characters: i.e. "jpeg".
header("Content-Type: image/$extension");
fpassthru($binary);
exit;
}
// execute return_image().
if (isset($_GET["q"])) {
return_image($_GET["q"], "https://humaneguitarist.org/blog/uploads/image_proxy/index.php", "", "");
}
?>
.htaccess
<FilesMatch "\.(?:jpg|gif|png)$">
Order allow,deny
Deny from all
</FilesMatch>