I've been searching the web, but can't find an answer to this specific issue.
I'm using the IIS Rewrite module to block direct access to WOFF and EOT files, to discourage hotlinking and theft of font files. I'm doing this by denying the request if the HTTP_REFERER doesn't match the server name.
The blocking works fine. However I'm a bit unsure about which is the most appropriate response code to return to the client.
This isn't exactly the same as blocking a restricted file type, like .config, .asax etc. As it is perfectly reasonable and legal for the browser to request these files, but only if the request is referred correctly.
Logically I'm thinking that 403 is the most correct response, as the server understands the request, but it is refusing to serve the content due to the way the request is received (direct not referred).
My concern primarily with 404 is if a browser or proxy etc. might then determine that the URL is invalid, and stop issuing further requests for the resource.
Another concern I have specifically with 403 is if some browsers might interpret this incorrectly and attempt to obtain additional authentication from the user for the request.
The other option would be to simply abort the request, which results in the socket connection being dropped. While extremely simple to do, I don't know how all clients might respond to this. For example I'm wondering if some browsers or search engines might see this as a temporary network fault, and therefore keep trying to re-issue the request.
Basically I want to ensure that legitimate requests for these font files will always work correctly, while also (as far as possible) protecting the files from miss-use.
Any thoughts would be greatly appreciated.
