1 (edited by andrzejwajler 2022-05-25 11:03:20)

Topic: Protecting images

Hi Steven,

Could you please provide some advice on properly protecting images when using Juicebox password protected gallery.
As long as the password is good enough as a strating point I would like to go a bit further and protect the conetnt from someone guesing the folder name of my password protected gallery (it's a big problem on web server with folder listning enabled) or guesing path and image file names.

As an example, please have a look at my test password protected gallery at http://andrzejwajler.pl/krzys.html
If you gues the gallery sits inside "krzys" folder then you can access the content by simply going to http://andrzejwajler.pl/krzys with no password and the web server will list all the folders and files inside. I could potentially prevent automatic folder content listning by putting custom index.php file inside each gallery folder ("krzys" in this case) but there is still possibility someone could gues the name of the image files and just go directly to http://andrzejwajler.pl/krzys/images/IMG_8930.jpg.

Is there any solution you could recommend to make the gallery and images inside more secure?

I gave a try and put "krzys" gallery folder outside of public webserver folder and then set the config "krzys.xml" file so it looks for images in "../krzys/images/" instead of "krzys/images" but that doesn't work - I've got a juicebox loader spinner with no pictures loaded.

I'm familiar with INCLUDE or READFILE functions in PHP where I can load files that sits outside of my public webserver folder but not sure if it's possible to do something similar to load images from external (not public) location for juicebox?

Thanks,
Andrzej.

Re: Protecting images

Hi, Andrzej.

My usual advice about protecting images can be found here: https://juicebox.net/forum/viewtopic.php?id=5127
It still holds true but it's maybe not exactly what you are talking about.

I gave a try and put "krzys" gallery folder outside of public webserver folder...

As you have discovered, if you cannot view an image on its own in a browser, then Juicebox will not be able to display it. The images need to be publicly accessible.

You could see if your web host allows you to turn off directory listing but anyone determined enough (and with the knowledge of the structure of a Juicebox gallery) might still be able to find your images.
Even with a password-protected gallery, a visitor could view the source of the web page, find the configURL configuration file and view it to see the paths to the images.

You could try hotlink protection. This should prevent direct access to images but it's also very likely to prevent Juicebox from displaying the images, too.

If you don't include a configURL in your embedding code, then, by default, Juicebox looks for a file called 'config.xml' in the gallery folder. A casual visitor is unlikely to know this so the 'config.xml' file should remain hidden (as long as directory listing can be disabled).
The next step would be to not use the default image folder name ('images'). You can rename the image folder to anything you like (something less likely to be guessed), you'll just need to change the corresponding paths to the images in the 'config.xml' file (a global search and replace should do the trick).

Maybe the best option would be to password-protect the gallery folder on the server using .htaccess and .htpasswd files (or via your web hosting account's control panel, if available). Instructions can be found here. This should block all access to the gallery folder until the password has been entered so initially viewing the source of the web page would not be possible.

I hope this gives you some suggestions (or at least a little to think about).

Re: Protecting images

I think I will go forward with the idead of using .htaccess and .htpasswd to protect the folders on the webserver level.
Many thanks for your suggestions.