HTACCESS Rules ISSUE

Question

I have the below rule in my .htaccess to prevent direct access to these file extensions.

RewriteEngine on 

RewriteCond %{HTTP_REFERER} !^https://(www\.)?mydomain\.com [NC]

RewriteCond %{HTTP_REFERER} !^https://(www\.)?mydomain\.com.*$ [NC]

RewriteRule \.(txt|pdf|jpg|png|svg)$ - [F]

It works in Chrome, Firefox and Safari. As for Internet Explorer 11 and Edge it block all these file types even if they are not a direct access. E.g. if a page contains image.png that image will not be displayed.

Note it is the same as (htaccess) How to prevent a file from DIRECT URL ACCESS? because the direct access is not working only on IE 11 and Edge but working in other browsers.

Answer 1

As stated by Anubhava, this appears to be because some browsers do not by default support providing the HTTP_REFERER header value.

Reading up about this issue (list of links below) it seems to be one that has slipped between the cracks of web best practise; the value HTTP_REFERER is insecure and easily forged (hence more recent editions of various browsers don't include it).

As well as that, it seems to be the only way of checking (surprise!) the referring page to a call to HTML headers.

This is why the .htaccess behavior changes based on different browsers.

There are a couple of solutions, that I know of, neither are perfect and one take quite a bit of recoding.

First Solution

The issue with Edge is that a HTTP_REFERER value is not given, so simply allow in your .htaccess if this value is empty, using a mod_rewrite OR flag:

RewriteEngine on 

RewriteCond %{HTTP_REFERER} !^$ [OR]
RewriteCond %{HTTP_REFERER} !^https://(www\.)?mydomain\.com(.*)?$ [NC]

RewriteRule \.(txt|pdf|jpg|png|svg)$ - [F]

This adds a check for an empty/null HTTP_REFERER, then an OR logic gate and then I've summarised your previous two rules into a single rule of domain plus optional filepath string.

The plus side to this is that Edge [should] work, but that anything which does not supply a HTTP_REFERER value (such as a new browser window) will also be allowed. Read more about a better variation on this approach here.

Secondary Solution(s)

• a) Use a cookie to inform the .htaccess that the site has already been visited and to react accordingly. Give the cookie a small timeframe and you'd have to work out your own way of building the cookie setting system.

OR

• b) If you want to be really coy, a cookie reading system built into the images, such as using PHP files to call images, itself masquerading as a .jpg file etc. This will do what you need (disallow direct access) but will be a significant work overhead.

For example if you have a file in your <img src='/image.jpg?x=47457'> and this image.jpg is infact a PHP file that calls a JPG image referenced by 47457...

• c) You could even extend this with a mod_rewrite that any call to a jpg file can infact be redirected to imageprocessing.php?input=image.jpg, where the PHP code can then check there is a valid cookie/session data before loading and outputting the appropriately referenced file...

Anyhow (b) and (c) are easily potentially long and complex but could provide the most maulable results.

Reading List

• In what cases will HTTP_REFERER be empty
• htaccess Redirect only if the HTTP referrer does NOT equal something
• Referer checking with htaccess
• .htaccess Redirect based on HTTP_REFERER being empty
• How to do htaccess redirect based on cookie value