trying to do a better job of image security

[Sat, 08 Feb 2014 15:37:52 +0000]
Just a quick post. I've been thinking of image security lately, within the context on reading ebooks online. Nothing online's going to be totally safe, but I have been thinking of better things I can do to protect an image on a website. I've seen some sites that use image servers to protect access to the direct image, but if the image is called via the tag, then all one has to do is use their browser's "Save web page complete" function. I haven't investigated why, but calling an image via CSS' background-image property [] doesn't result in the image being downloaded via the browser. I found a nice tutorial on "shrink wrapping" an image at []. On top of that I used an image proxy script to read and return the data for a given referring URL only and used htaccess to block ALL HTTP requests to images within a given folder. Here's the link to the "demo": []. If you can download the image by hook or crook, I'd appreciate a comment below on how it was done. So far, using just Firefox, I can go to "View Page Info>Media>Save As" and get it although that's hopefully a bit of a pain and, therefore, a deterrent. The PHP image proxy script and .htaccess file codes are below. image.php <?php function return_image($image_url, $referring_url, $url_prefix="", $fallback_image="") { /* Takes an image located at ($url_prefix + $image_url) and returns the image data provided the HTTP_REFERER is equal to $referring_url. If the image does not exist it will fallback to the $fallback_image. For the basic code related to proxying data in this way, see: "". */ // restrict access to image to $referring_url only. if ($_SERVER["HTTP_REFERER"] != $referring_url) { echo "You aren't allowed to see this image directly."; exit; } $image_url = $url_prefix . $image_url; $binary = Null; // open the file only for .jpg. .gif, and .png files. if (stripos($image_url, ".jpg") == True || stripos($image_url, ".gif") == True || stripos($image_url, ".png") == True) { $binary = @fopen($image_url, "rb"); } // use the fallback image if opening the file failed. if (!$binary) { $image_url = $fallback_image; $binary = fopen($image_url, "rb"); } // set the MIME type; send the image; stop the script. $extension = substr($image_url, -3); //will not work with extensions over 3 characters: i.e. "jpeg". header("Content-Type: image/$extension"); fpassthru($binary); exit; } // execute return_image(). if (isset($_GET["q"])) { return_image($_GET["q"], "", "", ""); } ?> .htaccess <FilesMatch "\.(?:jpg|gif|png)$"> Order allow,deny Deny from all </FilesMatch>