Prevent hotlinking in Azure Blob Storage

9
votes

One of my concerns about using Azure Blob Storage is hotlinking.

It looks like a good idea to put static content (images, videos, audio, large JS and CSS files, etc..) in a public container, but then nothing stops other websites to link this content and use it in their websites. Therefore, some webmasters using my content in their sites, would cost me money.

A common protection for hotlinking is to filter by the Referer HTTP header. How can this be accomplished in Microsoft Azure Blob Storage?

Apparently, it is possible in Amazon S3.

I know this would be bad for Google Image search, since it would be unable of showing my pictures, but well... I could live with that.

Cheers.

2
azureazure-storageazure-storage-blobs

2 Answers

3
votes

Windows Azure doesn't support adding logic to Blob Storage like you can in Amazon S3. But for this specific scenario you would typically use SAS (Shared Access Signatures).

You would need to change your container to private access. This means files can only be accessed if you have one of the two keys or if you have a SAS. So typically it would be your web server generating the SAS and apply it to the URL of the image for example. By working with SAS signatures you can allow access to a file for a specific amount of time (let's say 10min), which would prevent hotlinking.

The url of your file with a SAS would look like this:

https://storageaccountname.blob.core.windows.net/container/path/image.jpg?sv=2012-02-12&se=2012-11-19T19%3A25%3A32Z&sr=b&sp=r&sig=s6QIdwAGY4xC8fs4L9pK8hAGIY%2F8x58aqBcFbejYPdM%3D

1
votes

Along with SAS you can use cache-control header for the blob to minimize the read operations of your private static content of blob storage. This might be helpful - TechNet wiki article. Do let me know your views.