# Blocking script leechers by http referrer

I've been running a copy of the excellent Feed2JS RSS feed embedder script on one of our servers for a few years(!) now. It's a great way to embed any RSS feed onto any web page. The problem is that it's a little too attractive to some of the more leecherly and unsavoury members of teh intarwebs. I occasionally take a peek at who's using the script, and have found SEO tweakers, gambling sites, porn sites, warez, etc... all using it to aggregate their stuff together. That's fine, but download your own copy rather than stuffing my server's logs and cache directories with your crap.

So I just added a .htaccess file to the feed2js directory so that the php scripts are only visible if referred by a web page with "ucalgary" in the URL.

Basically, that says:

By default, block everyone. But, if the referrer for the request for any file in this directory contains "ucalgary" anywhere in the URL, case insensitively matched, then go ahead and let them in (actually, it says, if the url doesn't contain 'ucalgary' - case insensitively matched - then fail).

It's not bulletproof - they can still add "ucalgary" anywhere in the URL - could be the page filename, etc... but I figure if they're willing to rename their crapware sites to "ucalgary" just to use the script, that's just good marketing for us. Also, it'll fail for valid https:// requests, but that's easily fixed.

I had previously locked down access to the script only to browsers with UCalgary IP addresses - but then the scripts don't work on valid sites if accessed off campus. Oops. But it worked :-) This referrer blocking method should provide some flexibility.

To build a feed2js embed code, you'll have to use this page to get started, but it'll fail if you paste the code on a non-UCalgary server.