prevent image access apache

How to Prevent Direct Access to Images in Apache

Many times you may want to prevent direct access to images on your website. For example, you may want the images to be loaded on web pages, via image tags but you may not want to allow anyone to directly visit the image URL on their browser. This is because often people tend to download images from other websites and use it for their own. In this article, we will learn how to prevent direct access to images in Apache. You can use these steps to prevent direct access to other file types also.


How to Prevent Direct Access to Images in Apache

Here are the steps to prevent direct access to images in Apache. Let us say you want to block direct access to .gif and .jpg images on your site.


1. Enable mod_rewrite

First you need to enable mod_rewrite (.htaccess) for your Apache server. If you have already enabled it, then you can skip this step.

Otherwise, depending on your Linux distribution, run the following commands to enable it.

Ubuntu/Debian

Open terminal and run the following command to enable mod_rewrite.

$ sudo a2enmod rewrite

Redhat/Fedora/CentOS

Open Apache configuration file in a text editor.

$ sudo vi /etc/apache2/httpd.conf
OR
$ sudo vi /etc/httpd/httpd.conf

Look for the following line.

#LoadModule rewrite_module modules/mod_rewrite.so

Uncomment it by removing # at its beginning. If you don’t find this line, add it afresh.

Also look for the following Directory tag and change AllowOverride from None to All.

. . .
<Directory /var/www/html>
. . .
#
# AllowOverride controls what directives may be placed in .htaccess files.
# It can be "All", "None", or any combination of the keywords:
# Options FileInfo AuthConfig Limit
#
AllowOverride All
. . .
</Directory>
. . .


2. Open .htaccess file

Open .htaccess file in a text editor. If your .htaccess file is located somewhere other than default location, then replace the path below with the correct file path of .htaccess.

$ sudo vi /var/www/html/.htaccess


3. Prevent Direct Access

Add the following lines to .htaccess file. Replace example with your domain name.

RewriteEngine on 
RewriteCond %{HTTP_REFERER} !^http://(www\.)?example [NC] 
RewriteCond %{HTTP_REFERER} !^http://(www\.)?example.*$ [NC] 
RewriteRule \.(gif|jpg)$ - [F]

Let us look at the above lines. The first line enables mod_rewrite. The next 2 lines check for the HTTP_REFERER value for the request. If they do not begin with http://www.example.com, that is, if the request has been sent directly or from another website, then Apache will check the extension of requested file. If it is .gif or .jpg then Apache will respond with 403 Forbidden Access message.

That is how Apache is able to block direct access to files on your website.

However, please note, if you have loaded a web page from the website on your browser and then try to directly access the image on a new browser tab/window, you may be able to access it. This is because the image is loaded directly from browser cache, in such cases. Nevertheless, it is not loaded directly from server.

If you want to block more file extensions, just add them to the right of gif|jpg with a pipe (|). Here is an example to block gif, jpg, png, bmp.

RewriteEngine on 
RewriteCond %{HTTP_REFERER} !^http://(www\.)?example [NC] 
RewriteCond %{HTTP_REFERER} !^http://(www\.)?example.*$ [NC] 
RewriteRule \.(gif|jpg|png|bmp)$ - [F]

If you want to block direct access to other files such as .txt and .pdf, just replace gif & jpg with your desired file extensions.

RewriteEngine on 
RewriteCond %{HTTP_REFERER} !^http://(www\.)?example [NC] 
RewriteCond %{HTTP_REFERER} !^http://(www\.)?example.*$ [NC] 
RewriteRule \.(txt|pdf)$ - [F]


4. Restart Apache Server

Restart Apache server to apply changes.

$ sudo service apache2 restart

That’s it. In this article, we have learnt how to prevent direct access to files in Apache.

Also read:

How to Know Which Shell I am Using in Linux
How to Find Package Details in RHEL, CentOS, Fedora
How to Delete Objects in Django
How to Delete File or Folder in Python
How to Disable Django Error Emails

Leave a Reply

Your email address will not be published.