Protecting API images from being stolen
Posted: Tuesday, March 02, 2010 11:16:35 PM
I'd like to start using the API to grab images from my server and turn them into products... but how do I stop people finding the images and pinching them???

I'd use thumbnail images on my site for the links to the API, but if customers were particularly sneaky they could see where the full-size image was located from the API url and then go and download it themselves to print elsewhere.

Does anyone know if there some web service out there that lets you put a firewall on a server folder? It would still need to let me and the Zazzle API in, but nobody else.

Any ideas? This is a bit of a deal-breaker for using the API. It must be possible though because I guess Zazzle themselves have such a set up.
Posted: Wednesday, March 03, 2010 1:06:53 AM
With Apache, it can be done server-side via the httpaccess settings (httpd.conf, if I recall). There may be an alternative way via P.H.P, but I'm not for certain.
Posted: Wednesday, March 03, 2010 1:49:26 AM
Oh great that's perfect my server is Apache, sweet! I'll look into it further thanks! Grin Grin Grin

I did some investigating after I posted and it looks like there are other tricks you can employ too; like disabling right clicking and hiding the url.

For anyone who might find this thread later;
http://www.naturefocused.com/articles/image-protection.html
Posted: Wednesday, March 03, 2010 3:10:19 PM
There is no reliable and foolproof way to keep someone from stealing an image. The question is how good of an image are they getting. If they see it in their browser it's already on their hard drive. Can't stop that.

There are lots of tricks to discourage it (such as a transparent gif over the real image, or disabling right click save as) but the fact remains if they can see it, they can steal it. Generally most images are so compressed they aren't really worth stealing for any commercial use. Might work as a decent image on a website or something.
Posted: Thursday, March 04, 2010 1:05:35 AM
API is a little different though because the user won't be accessing the actual image, only Zazzle sees that. I know they can still copy whatever Zazzle displays, but I've come to terms with that. What I don't want is people tracing the API url path back to the print-ready images on my server. That would just make it too easy for them!

It looks like there are ways to prevent that happening.
I'll report back once I know more. Grin
Posted: Thursday, March 04, 2010 5:03:30 AM
You can use the "Allow/Deny" statement in your htaccess file so only Zazzle can access the folder your images are in. It's not fool proof but will keep most away from you images. This is the syntax for the htaccess file . . .
Code:

Order deny,allow
Deny from all
Allow from www.zazzle.com

Posted: Friday, March 05, 2010 1:30:43 AM
Ah perfect! That's exactly what I need! Funny I've been trying to figure out how to turn on SSI to use the #include command... looks like I have another good reason to work it out now.
Thanks!! Grin Grin Grin Grin
Posted: Saturday, March 06, 2010 2:25:35 AM
For anyone finding this thread here's some more info I found:
http://www.kavoir.com/2009/01/htaccess-deny-from-all-restrict-directory-access.html

This method was working yesterday but seems to be blocking Zazzle from accessing the images today(?!) If I remove the .htaccess file it sees them, but as soon as I put it back I get "Zazzle API Error 4263"

I don't understand why it worked fine yesterday though...?

Edit: I tried adding Zazzles actual IP address (70.42.16.130) to the allows but it didn't seem to make any difference. Sad

Edit Again: YESSSS! Fixed it! Earlier today I moved the .htaccess file a directory down from where it had been. I just remembered and moved it back, and low and behold it works again! I have no idea why it wants to be in that particular directory (it's not the root) but if it's happy there, then I'm happy!
Grin

Edit Yet Again: Smeg, it's only working with certain images, even though they're all there in the same directory. ARGH! Crying

I think it might be only letting me access the ones that I went to recently (when htaccess wasn't there.) If it try to use a new image (with htaccess in place) it just goes straight to the API error. It doesn't seem like its even trying to access the new image. I know they're there and the htaccess file is working, because I added my IP address to the allows and I can see them fine! >Sad

Yes, Another Edit: OK... I'm hesitant to say this after last time, but I *think* I fixed it. I changed 'allow from www.zazzle.com' to 'allow from zazzle.com' and it seems to be working *fingers crossed*
Posted: Saturday, March 06, 2010 8:07:23 AM
Thanks for the info and updates Smile
Posted: Saturday, March 06, 2010 9:41:41 AM
No probs! I figured my adventures might be helpful to someone else down the line. Once I'm all up and running I'll write a proper guide. I'm learning so much doing this! Grin Grin Grin
Posted: Sunday, June 13, 2010 2:51:45 AM
Well frak, just as I get ready to finally release this site, I change my hosting and the darn thing stops working again!! >Sad

My new host allows .htaccess, so that's not the problem. I've googled the heck out of htaccess file how tos and tried every combination I could find;

Order deny,allow
Deny from all
Allow from .zazzle.com
Allow from zazzle.com
Allow from www.zazzle.com
Allow from 70.42.16.130
Allow from 70\.42\.16\.130
Allow from *.zazzle.com

...but it still blocks Zazzle from getting to the images. It's definitely doing something because as soon as I remove it they work. But I NEED to protect my piccies! Sad

Does anyone know what the problem could be?
Posted: Monday, June 14, 2010 3:55:11 PM
I've talked to my new host and apparently the htaccess file needs to be slightly different because they use cloud hosting. See documentation here

I've updated mine with 70.42.16.130 as the IP (zazzle.com) but it still isn't working. I'm not sure if the api uses a different IP address. I've written to support to see if they know of any others I should be allowing. I'll update this thread when I find out. (Hopefully it can be of help to someone later on down the line)
Smile



Posted: Wednesday, June 16, 2010 5:23:12 PM
Well smeg, its turns out that "because of the structure of the Media Accelerator, it is not possible to lock down a directory of images by IP address in this way."

They've suggested a way of preventing search engines from indexing them like this:
http://www.javascriptkit.com/howto/robots.shtml

...but I really need something to stop actual people from stealing them. Crying

Drat, I might have to look for a new host. Unless someone has a another idea...?
Posted: Wednesday, June 16, 2010 8:49:30 PM
If I understand this correctly you are concerned about someone typing in a directory name to your images host folder and accessing the raw images?

ie: www(dot)mysite(dot)com/images

The host should return a 404 error code if this happens, else you can create an empty index.html file and place it in the images folder this will stop access to that folder.

The .htaccess syntax should read:

<Limit GET POST PUT>
order deny,allow
deny from all
allow from ip address
allow from domain name
</Limit>

a good resource is Stupid Htaccess Tricks



Posted: Wednesday, June 16, 2010 9:09:51 PM
Thanks, but unfortunately I got unlucky and picked a host that didn't support allow/denys to an image directory. Luckily though they have a monthly billing cycle so I only lost about $6 changing to a different one.

If anyone is going to use the Zazzle API I'd recommend steering clear of cloud hosting, as you won't be able to protect your files with htaccess allow/deny.

Just uploading my site to my new hosting now... fingers crossed! Grin

Edit: Yippee, it's working again...whew!

Ooo found this too...
http://www.htaccesselite.com/protect-your-htaccess-file-vt46.html

To protect your htaccess files from being accessed as well! Smile
Posted: Wednesday, June 16, 2010 9:18:30 PM
Ummm - I use a Cloud Host - don't use the API though (but do have Zazzle Store Builder installed) so I don't know how the two interact. From my experience and I have multiple .htaccess files in the dir tree of my site and all works as it did when on a shared server.

I was wondering if it had to do with the permission the API could have needed -- such as a CHMOD of 777 allowing full permissions to the images directory for gets and writes.

EDIT: Wow - CartoonizeMyPet - you are quick at migrating your site -- took me hours to do mine.

Posted: Wednesday, June 16, 2010 9:27:10 PM
Oh weird. Hmmm I don't know then... the hosting company (Laughing Squid) said it wasn't possible so I assumed it wasn't. Do you host any of the images for the ZSB or are they on Zazzle? They seemed to think allow/denys were possible on cloud hosting (with the modified htaccess file I linked above,) but allowing a specific IP address to access images was a no no.

I've changed to BlueHost now after seeing some recommendations on this forum. The simple...

Order deny,allow
Deny from all
Allow from zazzle.com

...works again, so I'm happy! Grin
Posted: Wednesday, June 16, 2010 9:32:01 PM
CartoonizeMyPet wrote:
They seemed to think allow/denys were possible on cloud hosting (with the modified htaccess file I linked above,) but allowing a specific IP address to access images was a no no. Grin


I would have tried the empty index.html file in the images dir - it is an old trick and it works -- unless the there was a modification of the CHMOD which would prevent its functioning as it is designed -- good you found a solution.

Posted: Friday, June 18, 2010 11:50:09 AM
The support team just contacted me again to say that they have actually now found a fix for the problem. It's too late for me because I've already signed up for a yr a BlueHost, but for anyone reading this later, there is a solution for cloud host users! Huzzah! Idea
Users browsing this topic
Guest


Forum Jump
You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot delete your posts in this forum.
You cannot edit your posts in this forum.
You cannot create polls in this forum.
You cannot vote in polls in this forum.
Print this topic
RSS Feed
Normal
Threaded