Protect Flash Files from Download, Protect Flash Files from Import.

Protect Flash files from being downloaded with this technique. It is not fool-proof, but this takes a completely different approach to stopping the average user trying to get at your SWF files than other tactics.

Protect Flash Files from Being Downloaded

Thanks to Graham Ellis for the awesome time he donated to help me understand some of the finer points of PHP. He is a true PHP genius!

Protecting Flash files: the example

Try your hand at downloading the Flash .swf movie in this example.

.htaccess

Create a file called .htaccess in the root folder on your server if you don't already have one, and insert the following line to it:

  1. AddHandler application/x-httpd-php .swf

Modifying your htaccess file by adding this line will not affect other Flash files on your website.

The HTML

You need to add two things to the page that the Flash movie will play on; first, add lines 1-3 to the very top of your page. And second, add lines 9-11 to your page directly above the object tag. Lastly, change the extension of the page to .php so your server will know to parse the language instead of writing it to the page.

  1. <?php
  2. session_start();
  3. ?>
  4. <html>
  5.   <head>
  6.     <title>Flash</title>
  7.   </head>
  8.   <body>
  9. <?php
  10. $_SESSION["flash"] = $_SERVER["HTTP_HOST"];
  11. ?>
  12.     <object width="550" height="400">
  13.       <param name="movie" value="flash.swf">
  14.       <embed src="flash.swf" width="550" height="400"></embed>
  15.     </object>
  16.   </body>
  17. </html>

The PHP

Here's where the real muscle comes in. While the HTML calls for flash.swf, it won't technically be a Flash file; it'll be a PHP file. Create a new file on your computer called flash.txt, open it up to edit, and insert the following code into it. Upload the file to your server and change the extension from txt to swf. This is the file that your HTML will link to instead of the real Flash movie.

  1. <?php
  2. session_start();
  3.  
  4. if(isset($_SESSION["flash"])) {
  5.   $referrer = $_SERVER["HTTP_REFERER"];
  6.   $referrer = parse_url($referrer);
  7.   if($referrer["host"] != $_SESSION["flash"]) {
  8.     echo "Permission denied.";
  9.     exit();
  10.   }
  11. } else {
  12.   echo "Permission denied.";
  13.   exit();
  14. }
  15.  
  16. unset($_SESSION["flash"]);
  17.  
  18. header("Content-type: application/x-shockwave-flash");
  19. readfile("/home/www/private/real_movie.swf");
  20.  
  21. ?>

The only change you need to make to this file is on line 19. Replace /home/www/private/flash.swf with the full server path to the Flash movie you want to play. If you don't know your full server path, you can find it by creating this PHP file and viewing it in your browser:

  1. <?php
  2. echo $_SERVER["DOCUMENT_ROOT"];
  3. ?>

The ideal spot to put the real .swf file would be a place on your server where browsers can't go such as a password protected directory or in a private folder outside of the document root.

How does this protect my Flash files from being downloaded?

The first thing that happens is the HTML page creates a session (sessions are kind of like cookies) and then it opens the PHP script as if it were a genuine Flash file. The session contains the domain of the site, and a quick check is performed to see if the domain requesting the flash file is the same as the domain where the flash file is located. If it doesn't match or the session was never created, the page simply reads, Permission Denied.

Update: 8 August, 2007

A couple of ways to get around this preventative measure have been brought to my attention, so consider this method a way to slow down experienced hackers. Personally, if I ran into this being used on a Flash file that I wanted to download, I would shrug my shoulders and give up.

Terms and Conditions

By using this information, you consent to the following:

In no event shall I be held liable for any damages whatsoever (including, without limitation, incidental and consequential damages, lost profits, or damages resulting from lost business) resulting from the use or inability to use the material on this website.

Navigation

Web Design Resources and Articles