Prevent hotlinking of Amazon S3 files?

Question

I\'d like to allow anyone to play a video located in my s3 on my site as the src on a tag but not allow people to us

Answer 1

Given that CloudFront currently does not let you directly restrict access (to the best of my understanding), I would do something like:

Then your media.php file looks like:

if (isset($_SERVER['HTTP_REFERER']) && $_SERVER['HTTP_REFERER'] != 'my-site.com')
{
  header('HTTP/1.1 503 Hot Linking Not Permitted');
  // display some message / image / video
  exit;
}

# this base url changes from time to time
$url = 'http://cdn.my-site.com';

header("Location: $url/{$_GET['v']}");

To make it less obvious, you may want to set up a rewrite to route /media/my-video.mp4 into the file. That way, it doesn't look like there is an intermediate PHP script.

Exactly how you do the referrer check depends on the level of security you want. Some people disable referrers, so you may want to allow empty ones. Or you could even check to see if a session variable or cookie exists, etc.

Of course, the end user will be able to sniff out the real URL. This is why you may want to change your CNAME from time to time.

This solution is hopefully good enough to discourage people from abusing your site, but is by no means perfect.