« A quick tutorial on color management: Getting colors right on the web | Main | Copyright 2.0: Copyright in a Hyper Digital age »

Lightroom Flash Galleries Security Issue

I've been using Lightroom's Flash Galleries lately as a mechanism to get images efficiently and beautifully published on the web, and I was uncomfortable that the image files are output by Lightroom to the web as publicly downloadable jpgs in high resolution!

One of the reasons photographers like to publish things on the web in flash is because the images are a little more difficult to steal. An image thief would have to do a screen shot in order to obtain the image presented in flash.

Unfortunately, the Lightroom flash galleries have all the images as jpgs in directories that are easy for people to browse and steal.

So the fix I implemented involves not allowing apache to give people access to those files. The flash gallery doesn't get the images through apache, so it doesn't matter. Adobe could fix this problem with an .htaccess file automatically generated for each directory.

But until then, to make the jpgs in a Lightroom Flash Gallery secure, here are two approaches:

1) Do this to httpd.conf:

# this is to secure the image files in the lightroom exports from lightroom
<DirectoryMatch "/usr/home/jeff/public_html/portfolios/.*/">
Options -Indexes
</DirectoryMatch>
<FilesMatch "/usr/home/jeff/public_html/portfolios/.*">
Deny from all
</FilesMatch>
<FilesMatch "/usr/home/jeff/public_html/portfolios/.*index">
Allow from all
</FilesMatch>

this makes it so that all the Lightroom galleries that I upload into portfolios can be viewed, but that nobody has access to any other file in there via Apache. It also makes it so that Apache doesn't show the contents of each directory. Flash doesn't have a problem reading the images, because it isn't doing it through Apache, so the flash galleries continue to work fine.

2) Another approach, though less secure, would be to disable the default Apache habit of creating an index of all the files in a particular directory for people on the web when it can't find an explicit index file. So if somebody browses to /portfolios/Nice_Pictures/bin/image/large they Apache will tell them exactly what is in that directory: Your hires image!

To fix this, put
<Directory "/usr/home/jeff/public_html/portfolios/">
   Options -Indexes
</Directory>

Unlike option 1 above, the files are still accessible to people via apache, but people will have to guess at the names of the files. Not impossible to guess the names, but it is a little more secure than having Apache just let everyone know what the names are!

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)