Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/billiegoose/connect-block-hotlinks
Middleware for blocking cross-origin requests (hotlinks)
https://github.com/billiegoose/connect-block-hotlinks
Last synced: 24 days ago
JSON representation
Middleware for blocking cross-origin requests (hotlinks)
- Host: GitHub
- URL: https://github.com/billiegoose/connect-block-hotlinks
- Owner: billiegoose
- License: mit
- Created: 2015-10-01T20:13:02.000Z (over 9 years ago)
- Default Branch: master
- Last Pushed: 2015-10-07T21:03:48.000Z (over 9 years ago)
- Last Synced: 2024-10-08T10:23:04.044Z (3 months ago)
- Language: CoffeeScript
- Size: 141 KB
- Stars: 1
- Watchers: 2
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# connect-block-hotlinks
I wrote this middleware to keep people from embedding my site's images into their own sites.
It compares the HTTP headers `Host` and `Referer` to make sure they are from the same 2nd-level domain.
For example, if Host is `img.example.com` then referer can be `http://example.com/` or `http://blog.example.com/`
but not `http://another.com/`.
This will not stop a determined attacker! For that you should use CORS and authentication mechanisms. But it will
prevent people stealing your bandwidth by using a URL to your image in the 'src' of an tag on another site.
## API
It follows a classic Connect/Express middleware pattern:
```
var express = require('express');
var blockHotlinks = require('connect-block-hotlinks');
var app = express();
app.use "/img/*", blockHotlinks
```
Depending on the request, the middleware will either:
- do nothing, and call next() so the route can be handled by the next route handler.
- return a 403 Forbidden "Missing 'Host' HTTP Header"
- return a 403 Forbidden "Missing 'Referer' HTTP Header"
- return a 200 OK hotlinking-disallowed.png