W3 Total Cache
[resolved] How to stop Amazon s3/cloudfront hotlinking? (8 posts)

  1. Hayden James
    Posted 5 years ago #

    We have a lot of issues with hotlinking.

    Is s3flowshield wordpress plugin (http://www.s3flowshield.com/) compatible with w3-total-cache?

    I found out about it here:

    If not what solution is there to prevent hotlinking of images.

    Note: We are a digital art gallery website.


  2. raboo
    Posted 5 years ago #

    S3flowshield is just like S3Media stream a video/audio plugin. It does not display images except poster images for the videos and as such they are not protected against hotlinking because they are not produced via expiring URLs. You may learn more on this subject via http://www.wp21century.com

    I hope this is useful?

  3. Hayden James
    Posted 5 years ago #

    "If not what solution is there to prevent hotlinking of images?"

  4. Hayden James
    Posted 5 years ago #

    I emailed S3FlowShield a link to this thread. Here's their response:

    "That post is incorrect. S3FlowShield can generate authenticated/expiring URLs for any file stored on S3, so you can indeed protect your images."

    Unfortunately I don't want additional URLs. lol

  5. Backie
    Posted 5 years ago #

    If you are just using S3 you can use bucket policy to prevent hotlinking by referrer, however this won't work when using cloudfront. I also suspect any expiring url is an S3 only feature too.

  6. Frederick Townes
    Plugin Author

    Posted 5 years ago #

    I think @Backie's advice is accurate.

  7. mbeneteau
    Posted 5 years ago #

    There are two issues here, one is hotlinking of images or other protected content (ie course pdf's) and the other is video protection.

    s3flowshield is designed for video protection, not really for images. I don't know if it will work for that purpose. It works by generating long url's that are too complicated to share. I don't know about "expiring urls" except that it does NOT support the type of expiring url's that Cloudfront private distributions use (more on this below). It works fine for generating expiring url's to videos stored on S3, via it's own internal mechanism, but it won't work with RTMP or private distribution .

    Backie and Frederick are correct you can use S3 bucket policy to prevent hotlinking by only allowing certain referrers:
    but I don't think this will work on Cloudfront (Cloudfront files are sourced by S3, but it's a different security mechanism)

    Now about video protection

    Neither S3Flowshield nor Easy Video Player (as of today) implement Cloudfront private distributions for RTMP streaming. This is a mechanism whereby the request to Cloudfront is digitally signed (with a key pair). These signed requests can carry an expiry date, can limit to only one IP address, etc. These (signed) url's must be dynamically generated for each user request or page load (and made to expire in, say 15 minutes -- if user doesn't start the video or refresh the page in 15 minutes, the video won't play).

    I am writing a plugin called "Cloudfront private distribution extension for JWPlayer" that will generate these expiring urls. It's not that complicated, and there is complete sample code here

    I have a video that teaches how to setup a Cloudfront streaming distribution with JWPlayer here, if interested (not private distribution):


    If you have any question please post them there


  8. raboo
    Posted 5 years ago #

    Hydn@: Matt from S3Flowshield refers to the expiring link feature, but that has nothing to do with displaying images on a site while being protected against hotlinking.

    mbeneteau@: S3Media Stream already features private RTMP streaming video and audio via CloudFront and it offers a whole host of other options to play video and audio. It fully supports HTML5 fallback to video and audio as well so that iPhone, iPad and other rich media capable mobiles are covered.

Topic Closed

This topic has been closed to new replies.

About this Plugin

  • W3 Total Cache
  • Frequently Asked Questions
  • Support Threads
  • Reviews

About this Topic