This article introduces the harm caused by hotlinking to victim websites and users based on common hotlinking methods and their characteristics, and how to use AWS services to prevent hotlinking access to ensure website data access security.

Forms and Harms of Hotlinking

Currently, common hotlinking processes on the internet are shown in the diagram below:

Figure 1: Hotlinking Process

As shown in the diagram above, during hotlinking, the hotlinking website itself does not provide all the content needed for the webpage. Part of the webpage content comes from the victim website. In this process, the victim website actually bears part of the hotlinking website's business traffic and pressure, while the hotlinking website steals this data traffic and computing resources, and even customer traffic, to support its own business. The victim website has to bear the operational costs brought by the stolen traffic and computing resources, causing economic losses to the victim website.

At the same time, because hotlinking is covert, end users often cannot detect hotlinking behavior in time. In some scenarios, hotlinking can even cause economic losses to end users.

Referer-Based Anti-Hotlinking Solutions

Determining Access Permission Based on HTTP Headers

The HTTP protocol specification defines the referer field in HTTP headers (see RFC 1945, RFC 7231) to indicate the HTTP request source. This field value is specified by the browser when initiating an HTTP request. This field value represents the source of the current HTTP request—for example, when clicking a webpage link, the browser submits an HTTP request to the server, and the referer field value in the HTTP header is the address of the webpage referencing the resource, which is the webpage address the user clicked.

Using AWS Services to Implement Referer Checking

• Solution 1: Implement referer checking through WAF

WAF is an application firewall feature provided by AWS. WAF works with CloudFront, ALB, or API Gateway to support filtering web requests through access control lists, thereby achieving the function of rejecting hotlinking requests.

Using URL Verification to Enhance Data Access Security

Using HTTP header fields to implement anti-hotlinking can handle common hotlinking scenarios. However, hotlinkers can still use more sophisticated methods such as client scripts to generate requests with legitimate HTTP headers to gain file access.

To further enhance file access security, you can add a time-limited random verification code as a signature to the requested URL. Users access relevant resources through the signed address. The system compares signature information in the background, confirms signature correctness and validity, and thereby identifies whether the current request has permission to access the corresponding file.

AWS CloudFront Signed URL provides a complete signature management solution, including signed URL generation API and signature verification mechanism integrated with CloudFront, simplifying resource access control.

Anti-Hotlinking Technology for Media Resources

Media resources can achieve more secure resource access management through DRM digital rights management technology.

DRM digital rights management technology encrypts media resources and saves the media program authorization center URL and key ID in the media resource file header, thereby achieving more secure media resource access control. When users play media resources, they also need to obtain the corresponding key from the media program authorization center to decrypt the media content. Unauthorized users cannot play media content even if they obtain the media file.

AWS Elemental MediaPackage service supports packaging DRM digital rights management information into media files, providing more secure media content access control.