#WAFv2
Explore tagged Tumblr posts
Text
AWS WAFv2 For Hotlink Protection: Future Of Content Security

How to stop hotlinking with Amazon CloudFront, WAF, and referer checking.
AWS WAF Classic will be retired in September 2025. This update describes how to utilise the latest AWS WAF (WAFv2) to avoid hotlinking. Screenshots have been updated to reflect AWS WAF Management Console changes.
Hotlinking, also known as inline linking, is a kind of content leeching in which an unauthorised third-party website embeds links to resources referenced in a major website's HTML. Your website may be invoiced for third-party websites' content as they don't pay for hosting. Slow loading times, lost money, and legal issues may result.
Hotlinking may now be stopped using AWS WAF. AWS WAF, a web application firewall, integrates with Amazon CloudFront, a CDN, to protect your web apps from typical online vulnerabilities that can reduce application availability, security, and resource use.
Solution overview
There are several techniques to handle hotlinking. The Apache module mod_rewrite may verify the Referer header on your web server. You may then redirect the visitor to your site's home page or display a 403 Forbidden message.
If you utilise a CDN like CloudFront to speed up website delivery, web server Referer header validation is less useful. The CDN must validate additional requests for that content because they are unlikely to reach the origin web server, even if your web server verifies the headers (in this example, the referer). The CDN caches your stuff at the edge of its servers.
Figure 1: Cache request-response flow.Hit-and-miss cache encounters
Figure 1 shows the procedure:
A user client (1) requests from CloudFront edge point (2).
Edge locations try to return a cached file. This request is a cache hit if the cache replies.
The origin (3), which may be an Amazon S3 bucket, receives a request for a new copy of the object if there is a cache miss and the content is incorrect or not in the edge.
Cache hits prevent the origin from applying validation logic to the user's request since the edge server may fill the request without contacting the origin.
Two methods for solution implementation
This document provides two AWS WAF configurations to prevent hotlinking:
Transferring protected static assets (images or stylistic elements) to static.example.com ensures that you just need to check the Referer header.
Static files are in a directory on the same domain. This approach includes extending this example to check for an empty Referer header.
Your website structure and security needs will determine your strategy. The first approach lets you set up a Referer header check to guarantee that photo requests come from an allowlisted sub-domain, while the second way checks for an empty Referer header. The first technique prevents unaffiliated third-party sites from embedding image links, whereas the second allows users to share direct connections.
Terms
Key phrases from this post:
AWS WAFs use web ACLs tied to CloudFront distributions.
Each web ACL has one or more match criteria and rules.
Match conditions examine request headers or URIs for particular criteria using one or more filters.
The names of HTTP headers are not case-sensitive. Referer references the same HTTP header. However, HTTP headers are case-sensitive.
Requirements
A CloudFront distribution is needed to configure an AWS WAF web ACL. Configuring a CloudFront distribution with an S3 bucket origin is covered in Configure distributions.
Approach 1: Subdomain separation
This sample AWS WAF rule set comprises one rule, match condition, and filter. The match condition checks the Referer header for a given value. Traffic is allowed if the request meets rule conditions. If not, AWS WAF blocks traffic.
Due to the static files' subdomain (static.example.com) being accessible exclusively from example.com, you will restrict hotlinking for any file without a referral.
Approach 2: Domain-wide content with path filtering
The second technique filters by URL path and allows blank Referer headers. Create an AWS WAF web ACL with numerous rules and extra match criteria, which are filters. Instead than validating the Referer header once, the match condition validates it twice. First, check the request header. The URL-style Referer header is checked in the second validation.
Some people may prefer to share the photo URL directly. Accessing the picture directly in the browser can help avoid a negative user experience. This solution is better than the previous, which needed sub-domain picture requests.
You must also check the request route (/wp-content) for AWS WAF to protect multiple folders under a domain name.
In conclusion
AWS WAF, a web application firewall, monitors and manages HTTP(S) traffic to your protected web applications. Using the AWS WAF custom rule builder, you protected your website's Amazon S3 bucket content from hotlinking.
Preventing unauthorised third-party websites from connecting to your static content reduces bandwidth costs, user experience, and resource leeching. Two robust referrer check methods are described in this post. Following the least privilege approach, you may restrict AWS WAF rules to.jpg or.png image file extensions.
Referer checking prevents unaffiliated websites from utilising your bandwidth and backlinking to your images, but clever attacks can purposefully design a request to bypass it. Inconsistent referer header interpretation can also be caused by browser plugins, server-to-server queries that fake header data, or privacy-based web browsers. Recognise these anomalies and consider token authentication and signed URLs for private content protection.
Web browsers cannot detect changed Referer headers. Referer checking should be utilised with AWS WAF application protection rules, Bot Control, Fraud Control, and DDOS protection to secure online applications.
#technology#technews#govindhtech#news#technologynews#AWS WAF#Amazon S3#WAFv2#content delivery network#web ACL#HTTP
0 notes
Text
AWS WAF Classic vs WAFV2: Features and Migration Considerations
http://securitytc.com/TJsKVC
0 notes
Text
なるほどですね 2020年07月13日の記事一覧
(全 24 件)
Kuroco | API-centric Cloud Native CMS
実践的低レベルプログラミング
マイクロソフトのCyberX買収にみる4つのポイント
「未経験文系から3ヶ月でデータサイエンティストになって一発逆転」はここで終わり
Tour of Rust
スマホに使われているセンサー、徹底解説しちゃいます
Change Data Capture from On-Premises SQL Server to Amazon Redshift Target
起業アイデアの出し方7つの視点
Handling SPA Fallback Paths in a Generic ASP.NET Core Server
AWSによるクラウド入門
[GitHub Actions]ブラウザ上からWorkflow手動再実行が可能になるdispatch_workflowイベントを試行検証してみた
法人としての価格設定問題からの、おじさんエンジニアの辛さと賃金の関係性
[AWS Black Belt Online Seminar] Amazon Cognito 資料及び QA 公開
CXPACKET が発生している実行中のクエリのリソース情報の取得について
What is MaxDOP controlling?
SQL Database に接続する際の接続フローについて
独力で一からJavaScriptコードを書くには?
Google、Mac版Chromeバッテリー消費を「劇的に改善」すると約束
Deno vs Node showdown!
Setting the Page Title in a Blazor App
ロボットの遠隔操作による接客!分身ロボ「OriHime」がモスバーガー大崎店に導入へ
ピーク時は月間400万人が利用 マスクの単価を比較できる「在庫速報.com」誕生の背景 (1/2)
AWS WAF セキュリティーオートメーションがWAFv2で利用できるようになりました
広がる「駅傘」のレンタル 有料化でも…… (1/2)
0 notes
Text
Azure Application Gateway Standard v2 and WAF v2 SKUs generally available
Application Gateway is Azure’s Application Delivery Controller as-a-service offering which provides customers with layer 7 load balancing, security and WAF functionality. Azure Application Gateway Standard v2 and WAF v2 SKUs are now generally available and fully supported with a 99.95 SLA. from Pocket https://azure.microsoft.com/en-in/updates/azure-application-gateway-standardv2-wafv2-skus-generally-available/ via IFTTT
0 notes
Text
AWS WAF Classic vs WAFV2: Features and Migration Considerations
http://securitytc.com/TJsH4C
0 notes
Text
なるほどですね
(全 13 件)
1. AWS WAFV2でIPアドレス制限してみた
2. サーバーレス開発モニタリングのEpsagonが17億円超���調達
3. 最大航続距離130kmの電動クロスバイク「TB1e」で新宿から千葉の銚子を目指したら、メーカーすら想定外の結果になって関係者全員笑った
4. 新型電動クロスバイク TB1e(ティービーワンe)
5. The Small Advanced Fingerprint Bike Lock——Walsun
6. 楽天モバイルのMNOサービス障害、原因は課金制御機器の「デッドロック」
7. “打倒クレジットカード”を目指すPayPay 2020年中に金融サービス提供へ
8. Wireless・のおと
9. Mobile Blazor Bindings は「Xamarin.Forms アプリ生成器」でした
10. 決済基盤でAWS CDKを使ったサーバーレスアーキテクチャ構築
11. プログラミングで辛かったこと。よかったこと。|Seiji Takahashi
12. ロギングベストプラクティス - kawasima
13. e-Taxソフトは「新しいMicrosoft Edge」に未対応、「旧Edge」または「IE11」の利用を
0 notes
Text
なるほどですね
(全 17 件)
1. Remote Debugging a .NET Core Linux app in WSL2 from Visual Studio on Windows
2. 壁の向こう側にいる人を検出する研究3本
3. Build an ASP.NET Core Update Panel with Vanilla JavaScript in Four Easy Steps
4. Using async disposable and async enumerable in frameworks older than .NET Core 3.0
5. Avoiding Startup service injection in ASP.NET Core 3 Upgrading to ASP.NET Core 3.0 - Part 3
6. Azure Functions v3 で .NET Core 3.1 が利用可能になった
7. docx2md - WordドキュメントをMarkdown記法に変換
8. WAFv2のマネージドルールでLFI攻撃をブロックする
9. 「一度全てを失って、半分はもう死んだ身」――成功と挫折を経たSUGIZOが今、ボランティアに励む理由
10. 「コンビニでも公共料金が支払える」がローソンにとっておいしくない理由
11. すでに3000台 ファミマの無人レジに万引はないのか?
12. 神奈川県庁のHDD流出、容疑の業者は官民で取引多数の大手 防衛省も「しっかり調査する」 影響範囲大か (1/2)
13. Zero Trust Networkでの運用を考える
14. JavaScriptの「カバー文法」とは何か
15. Rubyがマイコンで違和感なく動く、「mruby/c」は新バージョンで実用段階へ
16. 下り258Mbpsの回線速度が一気に724Mbpsに!
17. コンピュータクラブハウス加賀半年が経ってのご報告
0 notes