How to camouflage a page link

What happens is the call checks the REFERER, as per wikipedia:

The referer, or HTTP referer (is misspelled as a referer in the official HTTP specifications and has been standardized since then), is an HTTP header field that identifies the web page address (i.e. the URI or IRI) that links to the resource being requested. By checking the referer, the new web page can see where the request originated. (In short: know where the user came from, ie which page he was that sent him to your site).

In the most common situation, this means that when a user clicks on a hyperlink in a web browser, the browser sends a request to the server that stores the target web page. The request includes the referer field, which indicates the last page the user was on (the one he clicked on the link).

The referer log is used to allow web sites and web servers to identify where people are visiting you from, for promotional or statistical purposes.

This means that when a user clicks on a link from a web browser, the browser sends a request to the server that contains the landing page. The request includes referrer information, informing the page that the user was previously.

Understanding what the REFERER is (http)

To detail, suppose you have a page/site called http://exemplo.com/pagina.html and on this page there is a player:

<object classid="CLSID:22d6f312-b0f6-11d0-94ab-0080c74c7e95"
codebase="http://activex.microsoft.com/activex/controls/mplayer/en/nsmp2inf.cab#Version=5,1,52,701"
type="application/x-oleobject">
    <param name="fileName" value="musicas.m3u">
    <embed type="application/x-mplayer2"
     pluginspage="http://www.microsoft.com/Windows/MediaPlayer/"
     src="musicas.m3u">
</object>

When the player calls the file musicas.m3u, this request will receive something like:

GET /musicas.m3u HTTP/1.1
Host: exemplo.com
Connection: keep-alive
Cache-Control: max-age=0
Referer: exemplo.com/pagina.html

See the Referer: exemplo.com/pagina.html detects that the call came from exemplo.com/pagina.html.

But if you copy the playlist address and try to open directly http://exemplo.com/musicas.m3u, the browser will send the request this way:

GET /musicas.m3u HTTP/1.1
Host: exemplo.com
Connection: keep-alive
Cache-Control: max-age=0

Note that now we do not have the REFERER.

How to use the REFERER

You can use PHP, but if your files are static (they are not generated by. php pages, they are real files called .m3u) you can use the .htaccess to prevent access if it does not have the REFERER (or is called direct), this will also prevent other sites from using yours. m3u on external pages, saving the traffic of your site, this technique is called prevent hotlink or stop hotlink.

Create a file in the root folder (if you’re using Apache) and add this (you also need to prevent caching):

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?exemplo.com [NC]
RewriteRule \.m3u$ - [NC,F,L] #NC é para case-insensitive 

<FilesMatch "\.(?i:m3u)$">
  FileETag None
  <IfModule mod_headers.c>
     Header unset ETag
     Header set Cache-Control "max-age=0, no-cache, no-store, must-revalidate"
     Header set Pragma "no-cache"
     Header set Expires "Wed, 11 Jan 1984 05:00:00 GMT"
  </IfModule>
</FilesMatch>

If you call any file .m3u by browser url or by another website it will block access by showing error 403, if opened by the player it will open the file normally.

But if your file .m3u, it’s actually a file .php, create a file called playlist.php and add this:

<?php
$g = gmdate('D, d M Y H:i:s');
header('Expires: ' . $g . ' GMT');
header('Last-Modified: ' . $g . ' GMT');
header('Cache-Control: no-store, no-cache, must-revalidate');
header('Cache-Control: post-check=0, pre-check=0', false);
header('Pragma: no-cache');

$parsed = empty($_SERVER['HTTP_REFERER']) ? false : parse_url($_SERVER['HTTP_REFERER']);

if (false === empty($parsed['host']) && $parsed['host'] !== 'exemplo.com') {
    header('Content-Type: audio/x-mpegurl'); //Aplica o mimetype necessário para o player reconhecer o arquivo que é gerado dinamicamente
    echo file_get_contents('arquivo.m3u');//Lê o seu arquivo
} else {
    echo 'Hot link';
}

And you must call him that:

<object classid="CLSID:22d6f312-b0f6-11d0-94ab-0080c74c7e95"
codebase="http://activex.microsoft.com/activex/controls/mplayer/en/nsmp2inf.cab#Version=5,1,52,701"
type="application/x-oleobject">
    <param name="fileName" value="playlist.php">
    <embed type="application/x-mplayer2"
     pluginspage="http://www.microsoft.com/Windows/MediaPlayer/"
     src="playlist.php">
</object>

If called by the player the file .php generates the playlist used file_get_contents, already if it is called by the browser url or other site it will show the following error Hot link.

Controversies

Although this technique helps protect, everything can be swindled and really this is just a prevention, but it is not 100% safe, a simple way to circumvent is to inject the link to the .m3u on the site page using javascript (by the browser console) and if you click on the link you are likely to be able to download.

If you are using server Apache, can restrict access to the file to a DOMAIN or IP by creating a file .htaccess:

RewriteEngine on 
RewriteCond %{HTTP_REFERER} !^http://(www\.)?seudominio [NC] 
RewriteCond %{HTTP_REFERER} !^http://(www\.)?seudominio.*$ [NC] 
RewriteRule \.(m3u|mp3)$ - [F]