0

I want to prevent certain files from ever being cached by a browser (for copyright reasons). I know you can change the headers using PHP:

header("Cache-Control: no-cache, must-revalidate"); // HTTP/1.1
header("Expires: Sat, 26 Jul 1997 05:00:00 GMT"); // Date in the past

Is this as good as it gets? Can anyone think of additional layers of security?

David Jones
  • 10,117
  • 28
  • 91
  • 139

1 Answers1

1

adding a timestamp in the resource's url:

http://example.com/img.jpg?t=12234234 //append this in the server side

this fools the browser and server to think that it's a new resource everytime. just make sure the value is different everytime. this applies to any resource (anyone correct me if i'm wrong) like plain html, images etc.

Random Querystring to avoid IE caching

However, the resource is still stored in the cache regardless if it has expired. All the browser does when a resource expires is to wait until the user checks the site again, re-downloads the resource and overwrites the existing one in the cache. Until the user does that, it does not delete the ones from the cache.

Another way to prevent caching is to use SSL in your connection. By default, browsers do not cache SSL'ed sites - one of the main reasons, aside from additional overhead for decryption, why SSL all over the place is avoided. However, still, some browsers allow SSL caching (as far as i know, Firefox does) AND still does not change the fact that the resource is sent to the user's browser - which can be intercepted or viewed on a debugger.

All of the methods above can prevent cache but will NOT prevent anyone from stealing your images. The whole idea of the internet is to access resources from another computer. With that said, the user HAS ACCESS to those resources. Anything that arrives to the browser is subject to the user's will. He may look at it, look at the source, intercept it on arrival, viewed using a debugger whatever.

Anything you put in a web page on the internet is like handing over a million dollars in the open - you can't prevent thieves from watching, you may not know if the person you are dealing with is also a thief.

The only fool-proof way to avoid you images from being owned by someone else is to place a big watermark on it!

Community
  • 1
  • 1
Joseph
  • 117,725
  • 30
  • 181
  • 234
  • 1
    That technique is often referred to as [cache busting](http://html5boilerplate.com/docs/Version-Control-with-Cachebusting/) – AD7six Feb 23 '12 at 09:48
  • nice to know it has a name also – Joseph Feb 23 '12 at 09:57
  • Thanks for the response Joseph, but this isn't quite what I'm looking for. Even if you add a random string to the URL, the file is still cached. In other words, the user can still easily grab the file from their cache and redistribute it. I'm hoping to find a bulletproof method for not allowing the cache in the first place. – David Jones Feb 27 '12 at 17:30
  • if you are preventing cache because of that reason, we'll **you can't**. the whole idea of having a browser is to *"fetch resources from remote servers"*. in other words, the **images will still be loaded into the browser when you view a site regardless if it's cached or not**. you cannot prevent someone from stealing by preventing cache. one way to prevent stealing it is not loading that image at all! also, even if the cache expires, the resource will still stay in the PC. the browser can only overwrite the resource if a new version is found. you can't force the cache of a user to be deleted. – Joseph Feb 27 '12 at 23:05