Someone had try to steal my css file to use at his site. Can i somehow block CSS file from external access, but not damage my site? Somehow through htaccess or something. Thanks for your advice, any help appreciated.
-
11It was me. You can't stop me. I'll find your CSS wherever you try to hide it!SeanCannon– SeanCannon2013-01-18 20:49:14 +00:00Commented Jan 18, 2013 at 20:49
-
Are you trying to stop someone "hotlinking" your CSS and loading it in their site from your own domain, or from viewing your CSS to copy? Can you also confirm if your web server is Apache (assuming this from the reference to .htaccess) or IIS?pwdst– pwdst2013-01-18 20:59:44 +00:00Commented Jan 18, 2013 at 20:59
-
@pwdst my server is Apache, mm to be clearly he download my css and save to his hosting into folder with my domain name =/ i know that i can do nothing with it but, for future troubles this kind i want to hide css from downloading it, okay i understood that this wasn't a good idea.Dima Deplov– Dima Deplov2013-01-18 21:03:44 +00:00Commented Jan 18, 2013 at 21:03
-
2Imitation is the sincerest form of flattery.Jason– Jason2013-01-18 21:34:26 +00:00Commented Jan 18, 2013 at 21:34
-
What's there to "steal" in a CSS file? The cure for AIDS in a comment block?DanMan– DanMan2013-01-18 23:23:36 +00:00Commented Jan 18, 2013 at 23:23
Add a comment
|
3 Answers
Generate your css with PHP like style.css.php and in the code accept a token which refreshes every second. Your main page will include it using the current token src="style.css.php?token=abc123". If the token is valid, it serves it up. If the token is expired, it doesn't.
Dumbest solution ever. Endless workarounds, but might help against that guy who wants to steal your CSS. Worth a try and a good laugh.
Step 1: Create a table css_security_force in your database with one column token
Step 2: Create a cron that runs every second to update the token (now THAT's secure):
UPDATE css_security_force SET token = md5( NOW() );
Step 3: In your PHP head grab the token from the css_security_force table and set it as a variable $token then reference that token in the CSS link:
<link rel="stylesheet" href="style.css.php?token=<?=$token?>" />
Step 4: In your style.css.php file, grab the token from the database and check it against the query param.
if ($_GET['token'] == $token) {
echo <<<CSS
body {
background-color : yellow;
color : pink;
}
CSS;
} else {
echo 'Stop stealing my CSS!!!!!!';
}
Sit back and watch your foe's plans crumble before him.
EDIT
I got curious and made a working demo (Took it down after a couple days of 1 second db updates for sanity purposes, but you can easily recreate with the source posted below).
Here is the source on Github
6 Comments
Ray
Just a note, but there will be a significant trade off doing this as it's a lot cheaper for your server to serve a static CSS file than to process a PHP page to generate a CSS file. Also, don't plan to ever cache this on a CDN an have this security hack work.
SeanCannon
Added the Github source. Special thanks to the anonymous downvoter.
Pevara
This is nice as an experiment, but horrible if you would use it on a real site. A true performance nightmare! And the CSS would still be visible. If the browser can't load it, the CSS can't be applied... It would only prevent hotlinking. Still a nice experiment though.
SeanCannon
Hence the comment in the php source on git :
None of this code is intended to be serious or used in prod, even though it works. lol |
No. This makes no sense. Your CSS file must be available to anyone who can view your site if you want your pages styled.
Who cares if someone uses your style?
12 Comments
gen_Eric
I think he meant that someone was hotlinking his CSS file(s).
Ray
@RocketHazmat Whatever the method, you can't prevent people from loading a CSS file.
Dima Deplov
hmm, can i block an ability to open css in new tab?
gen_Eric
@flinth: Once the CSS is loaded into my browser, I can look at it and do what I want with it.
Ray
@flinth your CSS file is either available or not.
|
Simply put you cannot block it because the browsers have to have access to them. It is just one of those things you should not worry about. If it were possible, many sites like Facebook and Twitter would be blocking it.
Comments
