How to disable direct access but only allow the website to see it?

Username (e.g. epiz_XXX) or Website URL


(please specify the website or account you are asking about)

Error Message

I want users to not have access to images or CSS files by direct access. But I want the website to have the ability to view it.
(please share the FULL error message you see)

Other Information

(other information and details relevant to your question)

Sorry, but that is impossible. If the web browser can find them, so can normal users. Even Google has this problem.


It’s possible in theory with PHP I think, but the server power cost to run that vastly outweighs the benefits of saving the bandwidth. And any solution I can think of can easily be circumvented, because it’s not hard to manipulate a request into making it looks like the resource was embedded and not accessed directly.

In the end, if you want browsers to render your CSS, browsers need to be able to access your CSS, which means the person using that browser can get the CSS as well. And there is no way around that.


I seem some sites to have the ability to disable direct access to certain files.
Which says “You do not have access” or :“You do not have permission”

Correct, but the browser cannot access those either. If you want to put a restriction on it, then the browser would not be able to render it (So the CSS would not run, and the image should not show up).

1 Like

How is the website able to give access to it?

Sorry, but I do not understand your question.

One of the two things are possible (Just going to use an image file for this exmaple):

  1. NO ONE can access the image without being authenticated (This means that the image will not show up on the website, and it cannot be directly accessed)

  2. Everyone can access the image, either by direct access or by just viewing it on the website.

Plus, blocking direct access to images is pointless since users can just screenshot it, and blocking direct access to CSS is also pointless since it can be copied from dev-tools.


Some CDNs do have that feature, they show an error like:

error id: XXXXXX DIrect access disabled

I use aws cloudfront, and I leverage this feature.
I think some sort of CORS mechanism works here, impossible on IF ig.

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.