Protect Images and Pictures

Memberships & subscriptions
1

Currently, in Paid-Publications and Password-Protected/Private Blogs, images are available for viewing, downloading and external linking without entering a password or paying for membership. I think it would be a good idea if this didn’t happen. :slightly_smiling_face:

This is documented on GitHub in issues 11627 and 7768. Please see 11627 for steps on how to reproduce this behavior.

According to post 94:

Private blogs are great for when you just want your friends and family to have access to your posts, you want to run an internal company blog to share information between team members, or you’re just in the pre-launch phase.

When you enable password protection for your blog all social and search engine optimisation features are disabled, and visitors must enter the password to be able view your content.

According to the Ghost Alternatives page, Ghost is good if:

I want secure, protected members-only content

Ghost provides 100% secure server-side content gating for members-only content, allowing you to publish to a limited audience. It is not possible to achieve this from most other platforms like Squarespace, Wix, Memberstack, SentryLogin, Piano and others — which are insecure and easily bypassed.

If you want secure, member-based publishing where you have full control and ownership of both your content and the platform itself, Ghost is a good choice.

Image protection would be valuable for the following use cases:

  • Internal company blogs where we want to share important images or diagrams, such as those containing roadmaps/plans, designs, and concepts
  • Private blogs where we only want friends or family to have access to our words and images
  • Paid publications that focus on written content but also have images that should be restricted to paying members
  • Paid publications that focus on Art as paid content but also has written content
  • Paid publications that focus on Photography as paid content but also has written content

An image is worth a thousand words. :framed_picture:

If we protect words, then perhaps we should protect images too. :smiley:

I love Ghost. Thanks for considering the idea. :slightly_smiling_face:

3 Likes
3

Sure, because the request is about members beta, which is where requests about the members beta go. I’m sure Naz was just having a long day and meant to link there

2 Likes
5

Hi I am a photographer and I am looking to build a member based publication predominately with images. This issue is one of the things I noticed after installing and playing around with Ghost. Ghost is fantastic :raised_hands: :raised_hands: :raised_hands: but being able to protect the pictures in a protected post is important for my use. Hopefully this will be considered and implemented in the near future. :pray: :+1:

1 Like
6

Hi, found a potential workaround to protect the images.
Basically test to see if the referrer is from the same domain by placing the following code in nginx conf file. After putting this in the conf file, direct loading of images resulted in 403 forbidden but all the images when viewing on the site are also blocked. Not sure if I missed anything. If anyone who is more experienced with nginx config can shed a light it’d be appreciated.

server {

location ~ .(gif|png|jpg|jpe?g)$ {
valid_referers none blocked server_names;
if ($invalid_referer) {
return 403;
}
}



}

7

Hello! Got it to work. Basically need to include the root directory of your website inside the location.
location ~ .(jpg|jpe?g)$ {
valid_referers server_names;
if ($invalid_referer) {
return 403;
}
root /your/web/site/folder/;
}

1 Like
8

I see an official answer from @staff to 7768 that it doesn’t secure images by design since the “private” blogs feature is actually meant as a “temporary” or “coming soon” blog feature.

I am tens of hours deep with Ghost now and just found out it won’t work for my private photoblog. By any chance has there been a change of heart at Ghost in the last to make this feature actually mean “private”? If not, I would request clearer documentation. I strongly believe the current documentation is misleading about a sensitive topic. Ghost advertises strongly on being secure and easy for non-technical users. This is a very serious gap that I imagine has trapped a lot of people (many of whom may not realize their photos are in danger!).

9

Thanks! Presumably this works with videos as well, if you add mp4 to the location?

11

Hi, how to find the root directory ? inside the location? Can you explain it? I am not very good with it. Thank you! I am using Source Theme.

12

Root directory is the location where the Ghost blog installed.

How are you hosting your Ghost blog?

13

I am using Ghost and Source Theme. http/…/ghost.io

14

Since Ghost Pro handles all the technical details for you, you can’t customize this rule for your blog images.

1 Like
15

Can I still use Ghost and and host somewhere else to have more control?

16

Of course, Ghost is open source and you self host it.

Self hosting requires some knowledge of deployment and server management. To self host Ghost, you will need a vps (server), domain and a Mailgun account.

You can refer to this official doc for more information:

1 Like