Now, before you take that headline as an admission of guilt… it’s the title of a project I’ve been scheming up for awhile, a chunk of PHP that helps you prevent people from stealing your stuff; that stuff most notably being your CSS files, though I have one more writeup on the theme coming shortly after.

It’s always a dilemma for me when CSS comes up. I know that I, like many other people, learned CSS from looking at the work of other people to see how they did things. I would like to be able to let people look at my CSS and learn from me, not that mine is exemplary or anything, just humor me. So, in a way it’s difficult to even consider working through a solution like this, in other ways I remember the people who rip off CSS and claim it as their own work without much moral negotiation. This won’t stop everyone, but it will slow someone down or at least make them think.

Securing Your CSS With PHP

First of all, for a variety of reasons I’m delivering my CSS from a PHP file. This gives me some control over the output and, for example, allows me to check and see which browser is being used and which things should be included in the screen rendering in order to avoid having to use CSS hacks. (Read as “I don’t like IE6 and so this is my way around ugly hacks that still keeps IE looking simiflar.” ) If you don’t like that route and want to keep things purely CSS, that’s fine too, you can just incorporate the redirect I’m using in the second example and branch it to either include your real CSS file or a fake CSS file depending on the findings of the page reference, that’s your decision. But more on that later.

If you haven’t ever put CSS into a PHP file there are a few lines that you should add into the top of your document so that the server and your browser know how to work with the PHP’d CSS file. That code is something like this:

ob_start ("ob_gzhandler");
header("Content-type: text/css");
header("Cache-Control: must-revalidate"); 

After declaring that this PHP file is now a CSS document we can start the “delivery enhancements.”

The first chunk of code is fairly simple, and it’s intended for cases where people are either linking to your CSS file from a distance or trying to view the CSS directly and are then pasting it wholesale into their CSS document.

First, it attempts to get the identity of the page that is referencing it and checks to see if it is a page on your site. In my case it would look something like:

// checks to see which page is referencing the file.
$httpref = getenv ("HTTP_REFERER");
// check and see if your site is actually the initiator of the request, if it is the 
variable $valid is set. The second line tests against the user having left 
off the www in the URL.
if (eregi("", $httpref)) { $valid="valid";} 
if (eregi("", $httpref)) { $valid="valid";} 

Once it has determined the validity of the request it says “if this request is not coming from the real website, give them the `false CSS file markup and die.’” That code looks something like this:

if ($valid!="valid") { echo "stolen tag"; die; }

Where the code in my example says “stolen tag” I have replaced it in my real PHP file with some fake CSS to add some flair and artistry. I made a mockup page of what a website would look like if they did attempt to rip off the protected CSS file, I even kept the same content from my homepage.

For your benefit I have also included the example in one collective PHP script for easy download.

The Selected Redirect Route

If you’re not interested in modifying your CSS file and going with the PHP route you could always redirect with an external PHP file. For example, your site references the PHP file first and determines if the request is legitimate or not and acts accordingly. If it is a proper request then it redirects to the real style sheet, if not, they get a false CSS file. The code could look like this:

// check the referring page
$httpref = getenv ("HTTP_REFERER");
if (eregi("", $httpref)) { $valid="valid";}
if (eregi("", $httpref)) { $valid="valid";}
// if it is valid, redirect the page to the proper CSS file, if not, show 
them the other.
if ($valid=="valid")
    header( 'Location: real-sheet.php' ) ;
} else {
	header( 'Location: thievery.css' ) ;

You can see this in action at the second demo page. It functions almost identically to the other example but the difference is that you don’t have to mess with your current CSS work, you just have to create a fake one or not. You could just give them an error message instead of CSS information, that would probably mess with their heads a little more than the examples I have here.

Further thoughts

There are other things you could add to this concept to really get strict. You could incorporate a chunk of PHP that would open up a text document and write down the IP, referral address and the time of every false request on your site. I would guess that the list on that would be quite long and more than likely not worth your time. You could save yourself the time and add the image file you are loading as a background into your CMS so you can watch how many times people are downloading it, just to keep track. Things like these could be done fairly quickly if you needed that extra functionality, because PHP just lends itself to that sort of stuff.

As I said before, I have another example to go along with this theme, but I’m still working out the last few problems with it. Hopefully this helps slow down the people who want to wholesale your CSS work. Good luck.