-
I have solved the problem by adding the following code at the beginning of the storage.php file, in case anyone wants to use it.
// Verificar que el referer sea de tu dominio if (isset($_SERVER['HTTP_REFERER'])) { $referer = $_SERVER['HTTP_REFERER']; if (strpos($referer, 'https://xxxxxxxxxxxxxxx.com') !== 0) { // Si el referer no es de tu dominio, redirige a la página de 'not found' header('Location: https://xxxxxxxxxxxxxxxxx.com/notfound'); exit; } } else { // Si no hay referer, redirige a la página de 'not found' header('Location: https://xxxxxxxxxxxxxxxx.com/notfound'); exit; }-
Hello @Antonio !
Thnx, perhaps it would be useful. Your original request means that someone can inspect the closed ode and pass the file URL to others. But the name of every file is auto-generated and it can't be calculated. So the non-public files are in the good zone of security.
-
Be advised, some JavaScript fetch methods do not properly use the headers, and even old school 2011-2013 apache methods have been known to fail.
I think you are over thinking, because, in order to get that URL, a member would have already needed to be logged in.
You are actually stopping hot-linking with that code. Firefox is notorious for breaking those rules. And failing in many instances of such referrer code being checked.
Plus, anyone wanting to actually get that video, who has any smarts, can set the referrer header themselves. I tried to explain that the server itself doesn't know if your logged into UNA. I personally can think of a dozen ways around that check.
Personally, how I tackled the situation of subscriber content on my site (paid for videos, photos, etc) was a proprietary proxy that only streams or sends the image if subscribed to the content. Which, is fool proof.
Anyhow, what ever you feel is best for you, is all that matters. 😊
-
Comment to 'Major privacy issue in videos'
Comment to Major privacy issue in videos
