[than3]

Can't you disallow external links that will redirect to a dynamic error page?

Things like HTTP Referrer, coupled with a set of rolling dynamic headers so actual site visitors aren't impacted, or significant rate limiting, or a simple non-malicious HTTP widget injection that sends a simple message, stop the unauthorized hotlinking.

You could even take it a step further by evaluating at the packet header level but that's a bit of a setup.

[josephg]

Isn’t there a way to do this by looking at the Origin header or something? What you want is for the download link to work, but when the page is hot linked, the origin header won’t match and the link will be broken. That should be doable with a simple nginx rule.

You might not want to break the existing web link (if you don’t want to break existing sites). But you could move the link to the javascript code somewhere else which has this origin guarding behaviour.

Edit: There’s a better suggestion down thread. Put the javascript file in a zip file and let people download that. Brilliant.

[Doxin]

In general the "best" solution here is to have URLs with a time-limited token. S3 and the likes make this pretty easy to set up, but there's no reason you couldn't roll your own solution.