RewriteCond not preventing certain websites

My website allows people to read content freely if they arrive via a search engine or know the full URL of an article. I require the members to create an account and login to be able to conduct their own keyword searches and find what they really need.

I discovered that another website is letting people conduct keyword searches, view the Google searches, all within an iframe or something. Once the user found what they wanted, they could click the link in the Google search and be taken to the content they were looking for on my website. Normally traffic like this would be welcomed by any website. However, it prevents lots of people from ever needing to create an account on my website, which we use for further marketing purposes. So then I added this to my .htaccess:

RewriteCond %{HTTP_REFERER} offendingWebsite\.com [NC,OR]

I tested it out by going to the offending website, did a search, viewed the google results in their iFrame, and then clicked on one of them. Sure enough, the permission denied message was given.

Recently I tried it again and somehow they found a work-around. It looks like when a person clicks on the google search results in their iFrame, the location field in the web browser quickly changes to google.com, then redirects to my website. Hmmmm.

How can I block what the offending website is doing without blocking people who originate from the google homepage?

Thanks!

Personally, I handle these types of things in my PHP script and not htaccess. I find the script to be able to deal with it much more gracefully. Also, relating to your particular issue, the $_SERVER variables can be spoofed, so blocking by this method is not foolproof.

What you’re describing is called clickjacking. You may want to read up on some preventative measures. Take special note of the X-Frame-Options portion. Note that this is on the browser’s honor system.

You might want to consider an IP and/or session-based limit to how many searches they can perform before having to register. This might allow you to control the number of times they can view a unique article before you gently nudge them to register for an account. To circumvent this, they would need to either spoof their IP, run through a proxy or scrape your content to display on their own host.

Wow, I read up on the topic like you suggested and did the following:

  1. Added Header append X-FRAME-OPTIONS “DENY” to my .htaccess

  2. Added header(‘X-Frame-Options: DENY’); at the top of the page where I don’t want content stolen

Despite these measures, I was still able to go to the offending website, conduct a search, view the google search results which they have in an iframe, and then click on one of the results for my domain to be successfully routed to my site. Why is this still possible with the steps I took above?

Thanks for your help!!

@schwim - can you share the code that you use in PHP to handle this? This particular problem continues to grow for me.

Thanks!

Hi there Busboy,

I’m super sorry to hear of your continued problems. Before I post anything, I want to make sure I’m clear on the situation. Is it correct that the referer is showing up as one particular offending site? If this is not correct, let me know what’s tipping you off when it happens.

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.