Recently, there’s been a discussion on The WELL about how some people are having trouble viewing pages on Fotolog.net. It turns out that Fotolog is restricting access to images based on the HTTP Referer (yes, that’s how it’s spelled in HTTP) header in an unfortunate way. Surely their goal is to prevent bandwidth thieves (intentional or otherwise) from embedding Fotolog images directly into their own pages. That’s a serious problem, but Fotolog’s solution is not good.

Rules to limit image access based on Referer are pretty common. It’s one of the first things most people think of when they discover they have a problem with people using their images on other sites. And it tends to work fairly well. But a lot of people who implement Referer restrictions don’t really understand all the implications, limitations and tricky configuration issues. There are a few key things to always remember when setting up Referer-based access control.

Continue reading “Referer foolishness”