Apache2::checkReferer - Prevent most "deep linking"

Apache2-checkReferer documentation Contained in the Apache2-checkReferer distribution.

Index

Code Index:

NAME

Top

Apache2::checkReferer - Prevent most "deep linking"

VERSION

Top

Version 0.02

SYNOPSIS

Top

In httpd.conf:

<Location /img/mybig.jpeg>

    PerlAccessHandler Apache2::checkReferer

    # option (default no) allow direct access
    # only check referer if there is one.
    PerlSetVar noRefererOK yes

</Location>

You can steal my pictures, put them on your own server. Most browsers send a referer header, some (behind a proxy) do not. Also some search bots do not send a referer header.

FUNCTIONS

Top

handler

A mod_perl2 handler. Checks wether or not your site's name is used in the referer header.

AUTHOR

Top

Henk van Oers, <hvo.pm at xs4all.nl>

BUGS

Top

Please report any bugs or feature requests to bug-apache2-checkreferer at rt.cpan.org, or through the web interface at http://rt.cpan.org/NoAuth/ReportBug.html?Queue=Apache2-checkReferer. I will be notified, and then you'll automatically be notified of progress on your bug as I make changes.

SUPPORT

Top

You can find documentation for this module with the perldoc command.

    perldoc Apache2::checkReferer

You can also look for information at:

* RT: CPAN's request tracker

http://rt.cpan.org/NoAuth/Bugs.html?Dist=Apache2-checkReferer

* AnnoCPAN: Annotated CPAN documentation

http://annocpan.org/dist/Apache2-checkReferer

* CPAN Ratings

http://cpanratings.perl.org/d/Apache2-checkReferer

* Search CPAN

http://search.cpan.org/dist/Apache2-checkReferer

ACKNOWLEDGEMENTS

Top

Thanks to Mark Overmeer, Jan-Pieter Cornet and Juerd Waalboer of the Amsterdam Perl Mongers (http://amsterdam.pm.org) for their contributions and advise.

COPYRIGHT & LICENSE

Top

Copyright 2008 Henk van Oers, all rights reserved.

This program is free software; you can redistribute it and/or modify it under the same terms as Perl itself.

Apache2-checkReferer documentation Contained in the Apache2-checkReferer distribution. 
package Apache2::checkReferer;

use warnings;
use strict;


our $VERSION = '0.02';

use Apache2::RequestRec ();
use Apache2::RequestUtil ();
use Apache2::Connection ();
use Apache2::Log ();
use Apache2::Const -compile => qw(OK FORBIDDEN);


sub handler {
    my $r = shift;

    $r->subprocess_env;
    
    unless (defined $ENV{'HTTP_REFERER'}) {
        my $location = $r->location;
        my $uri      = $r->uri;
        my $ip       = $r->connection->remote_ip;
        my $ok       = lc($r->dir_config('noRefererOK')) || 'no';
        if ($ok ne 'yes' && $ok ne 'no') {
            $ok = 'no';
        }
        $r->log_error("checkReferer: $location, $uri, $ip noRefererOK=$ok");
        return Apache2::Const::FORBIDDEN
            if $ok eq 'no';
        return Apache2::Const::OK;
    }
    
    my $referer = $ENV{'HTTP_REFERER'};
    my $host    = $ENV{'HTTP_HOST'} || 'no host';
    
    my $prefered = qr{://\Q$host\E[:/]}i;
    if ($referer !~ $prefered) {
        my $location = $r->location;
        my $uri      = $r->uri;
        $r->log_error("checkReferer: $location, $uri, $host, $referer .");
        return Apache2::Const::FORBIDDEN;
    }
    
    return Apache2::Const::OK;
}


1; # End of Apache2::checkReferer