I suddenly get a lot of requests to my site (wget, curl etc...).
I do not want any of these request to be executed unless a user has visited my site at least once using a valid browser (like Firefox or Chrome).
Is there an Apache Module to do this? What can I do?
The concept is simple: create a token that will be used in the files you want to protect. This This token (key like "abc123" - saved in the session, not cookies) will be used in every file you load. This way, if the token does not match from the file you can redirect to a page not found or access denied.
Setup the token in the index.php
:
<?php
session_start();
header("Cache-Control: no-cache, must-revalidate");
header("Expires: Mon, 10 Oct 2005 05:00:00 GMT");
$_SESSION['siteToken'] = "abc123";
?>
<html>
<head>
<link rel="stylesheet" type="text/css" href="/style.css" />
</head>
<body>
Now for CSS and JavaScript files you need to check the token to make sure it's set and it's the right value.
// style.css
<?php
session_start();
header("Content-type: text/css");
header("Cache-Control: no-cache, must-revalidate");
header("Expires: Mon, 10 Oct 2005 05:00:00 GMT");
if($_SESSION["siteToken"] != "abc123") {
session_regenerate_id();
die(); // or redirect
}
?>
body { background-color: #000; color: #fff; }
etc...
You do the same thing for the JavaScript file.
The next step if you update your .htaccess to make sure the CSS and JavaScript file are parsed correctly:
RewriteEngine on
RewriteBase /
RewriteRule style.css style.php [NC,L]
In addition you can add this in your .htaccess to protect bad bots from querying files:
SetEnvIfNoCase User-Agent "^Wget" bad_bot
SetEnvIfNoCase User-Agent "^EmailSiphon" bad_bot
SetEnvIfNoCase User-Agent "^EmailWolf" bad_bot
SetEnvIfNoCase User-Agent "^libwww-perl" bad_bot
#etc...
Deny from env=bad_bot
Now as for the images. This solution will work as well but it will be slower than parsing the CSS and JavaScript files.
The logic is the same but instead of echoing you have to read the file (using readfile
).
Also, you have to change the header based on the extension of the file.
The alternative for this will be to set this in your .htaccess file:
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?domain.com [NC]
RewriteRule \.jpg$ - [NC,F,L]
Although, this is not bulletproof.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With