My users upload their profile images and I save them in a public folder. The file names are not predictable (they are based on md5 hash of user id with salt). When someone views the user's profile, I embed a link to the user's image.
I'm worried that someone may download the entire directory and misuse the images. How can I protect against this? Specifically:
- Are wget and curl the only realistic options for such an attack?
- I realise that wget respects robots.txt, but can I rely on this?
- Does curl respect robots.txt?
UPDATE: I'm using a ubuntu server
Let me translate this: Everyone who knows how to get the profile page knows the URL of the image.
No.
Generally - you can only rely on this type of security if the obscurity is absolute. Anyone accessing a page linking to the picture can get the picture.
Anyonene can try guessing names, but that you can easily block.... or just use long enugh random keys to make it very rare to get a hit.