Home

Bee-Tokens Security primer

There are 3 methods of securing your token charged content on your website.

Method A: Hidden directory

Burying your content page on your server and using directory and filenames that cannot be easily guessed

Method B: Referrer checking

Installing a .htaccess file in the content directory, or in a folder above the content directory with restrictions that require the user to come from bee-tokens or your own website when accessing the information

Method C: BT XML Verify

An application that comes with a self decompressing installer that protects your site with a .htaccess file that calls the application and compares the credentials of your customer to the actual transaction log on Bee-Tokens and validates weather it is a valid transaction or not, customizable

Security matrix:

 

Available on

Advantages

Disadvantage

Hidden
directory
(Method A)

All web servers
  • Easy setup
  • Easy to manage
  • Quick setup time
  • You can be hotlinked
  • Not very secure
  • Customers that bookmark the page may access the gallery again

Referrer checking
(Method B)
  • Apache with .htaccess
  • IIS with 3rd party software
  • Stops a good deal of fraud
  • Prevents hot linking
  • Prevents casual bookmarking
  • Advanced hackers can simulate referrer data
  • Can block valid users that have security software that prevents referrer data from being passed
  • No time constraint on access restrictions

BT XML Verify
(Method C)

Apache Only
  • Application that actively connects to the Bee-Tokens server to verify transaction
  • Allows to set level of matching (time, ip, url)
  • Provides full directory protection, all files are protected
  • Requires an apache account that can run server side scripting (most servers)

How to use different methods:

Method A:

Just create a confusing directory structure and hide your content inside of it.

Example: http://mywebsite.com/btokens/content/hYtxf435/index.html

Method B:

  2. Edit the file in a text file editor and replace where it has ‘mysitename.com’ with the actual URL of your website example:
    was: http://mysitename.com/
    now: http://JoesPictureShack.com/
  3. Upload this file to your web server at the top of your token storage, do not place it in the root folder of you website example:
    Tokens/sample.htaccess
  4. Rename the file to “.htaccess” (no quotation marks)
    NOTE: your FTP client may not show the file once you rename it, that is due to the period in front of the file name. The period tells your server to hide the file from casual view
  5. Test to be sure that this works by creating a BT Gateway to content inside of this folder, and be sure that when people click on thumbnails they get to see the image and not the deny page

Method C:

Bee-Tokens cannot provide support for Method C Security Installation. The application may work or it may not. We have left it up here incase you wanted to try it out.

  2. Upload this file to a directory on your server that is allowed to execute files, you may need to modify the file to be executable when uploaded. Most web servers have a cgi-bin/ folder that is already configured for this
  3. Connect to the cgi-bin folder with your web browser, example http://mysite.com/cgi-bin/btinstall.cgi
  4. Follow the onscreen instructions to protect your content.
  5. Test the security of your content with a valid transaction to content that is in the same folder or in a subfolder where you had the installer protect the content.

NOTES ABOUT METHOD C CONFIGURATION:

Security level 1: is just a time window that any content that is protected can be accessed by any user that has the URL

Security level 2: Checks to see if the user is coming from an IP address that has placed a transaction within the time frame

Security level 3: Checks to make sure that the user is coming from the right IP address, within the specified time window and is accessing the URL that is reported on the Bee-Tokens server.