0

I am making an app that uploads and downloads images. I save these images on the server (Bluehost). However, I do not want the images to be accessible directly on the browser, only through the app.

I tried to block them in .htaccess file, it worked but it blocked all kinds of access including through app.

Is there a way to get around this? There are quite a few questions about this issue here, but none of them really helps.

Thanks

codedev
  • 31
  • 5
  • There is not a good solution based on just some easy blocking rules. Reason is that there is no reliable and robust way for the http server to distinguish between an "app" and a browser, for the server's point of view, so on protocol level they are the same. You could try to play around with evaluating the referrer header and the agent header, but all that can easily be spoofed by anyone interested in doing so. – arkascha Mar 17 '19 at 02:59
  • The question is _why_ you want to limit access that way. What is the difference in how those resources are accessed? Why does it make a difference to _you_ ? If you publish images, then why should it be important what tool someone uses to access them? – arkascha Mar 17 '19 at 03:00
  • Thanks for your comment. The reason is that I want the images to be only accessible to the app users, not everyone. That's the goal. Could you maybe suggest another way to do it? – codedev Mar 17 '19 at 13:54
  • That is actually not an answer to my question but only a repetition of the statement you already made in the question. I asked for the "why", you answered "because!"... But anyway... – arkascha Mar 17 '19 at 14:07
  • The obvious approach would be some authorization system, but that would require registered clients which I doubt you have. Maybe you could implement something based on a google play ID or similar, so use a third party authorization service. I have never done and quite frankly I doubt you want to invest that effort. I fail to see a robust approach without a robust base. So maybe you will have to go with the insecure approach I mentioned that can easily be worked around. – arkascha Mar 17 '19 at 14:10
  • @codedev paste what you did in htaccess – Mohammed Elhag Mar 17 '19 at 19:34
  • I used this answer ( https://stackoverflow.com/questions/10236717/how-to-prevent-a-file-from-direct-url-access ). This is the code I used: RewriteEngine on RewriteCond %{HTTP_REFERER} !^http://(www\.)?domain\.ltd [NC] RewriteCond %{HTTP_REFERER} !^http://(www\.)?domain\.ltd.*$ [NC] RewriteRule \.(gif|jpg|js|txt)$ /messageforcurious [L] – codedev Mar 17 '19 at 21:25
  • Sorry I don't know how to write it in a better visible way :( – codedev Mar 17 '19 at 21:26

0 Answers0