Application Security Testing: An Integral Part of DevOps
As a webmaster, you know that hotlinking can be pretty annoying. You've worked hard on your web site, its content, and of course the images, so it makes sense that you don't like someone else taking credit for your work.
No doubt you've also seen many articles that teach you how to replace the hotlinked image with a humorous one. Although this may provide you (and others) with hours of amusement, it's not helping you at all. The entire purpose of handling hotlinked images is to save your bandwidth, so replacing a hotlinked image with another one is still costing you bandwidth. And yet, this is the most commonly recommended practice as far as hotlinking goes. As Captain Kirk once said to Spock, "I submit to you that your universe is illogical. I submit to you that YOU are illogical."
Let's reconsider hotlinking just for a minute (I'll get to the code soon!). Back in the 1990s, bandwidth and web hosting were not cheap. The Internet had just opened up to the world and everyone was one their baby feet. Becoming a popular web site overnight could actually shut your site down if your server wasn't prepared to handle the load. Fast forward to the 2000s; things are cheaper now. You actually can get web sites with amounts of space and bandwidth that you will probably never use up. This is known, in the web hosting industry, as "overselling."
Taking these facts into consideration, hotlinking isn't actually that much of an issue now—in terms of bandwidth costs. However, it is still an issue in terms of stealing credit. This is where you can turn it to your advantage: When someone uses your image on their web page, you can dynamically manipulate it to add a 'label' to the image so that anyone looking at that image will see the message that you want on it. I'll use the recent life-on-mars image as an example. The image could be on your web site like this:
But, you can make the same image appear on someone else's web site like this:
Granted, it isn't the most attractive label, but it's noticeable and you've just turned hotlinkers into advertisers for your web site! And, you can always change the rendering method depending on your graphics skills in .NET.
The most common way to do this in ASP.NET is to use HttpHandlers. Unfortunately, web hosts are wary of HttpHandlers and trust them as much as a Jedi would trust a Sith lord to hold his light saber while he ties his shoelaces. Luckily, there are a few methods that I shall present here; these will work for you depending on the amount of control you have over your hosting environment.
- The HttpHandler method (full control over server)
- The ASHX method (limited control)
- The Dynamic ASP.NET Image method (very limited control)
- The .htaccess and ASP.NET Image method (very limited control)
There is a code sample provided as an attachment with this article; you can use it to test out the various methods, created in ASP.NET 2.0. However, I suggest that you understand the code first and modify it to suit your needs if required. The code can be transferred to an equivalent ASP.NET 1.1 project as well.
All of the methods are more or less similar inasmuch as the guts of the code is the same. I first will explain the code used to draw the image with the label and then move on to configuring your application to use each of the methods mentioned above.