si-blog

Prevent hotlinking

Posted Apr 02, 2005 in Miscellaneous, Technology, Web Design.

It has been a long time since I wrote any articles. Now that I have a little more time on my hands, I will probably be adding more. The last two articles were XHTML-specific, but my new one on preventing “hotlinking” is Apache-specific, because it relies on .htaccess.

There are two basic methods in the article. One involves substituting requested images for an alternative. The other is a simple denial (serving up an error). There are a number of variations to play with, and the techniques can easily be adapted to work with files other than images.

Comments

  1. Gravatar

    Good article. I especially like the "Blocking all domains" method. I didn't know how to use the "!" in regular expressions. Thanks Simon :)

    Posted by Remi Prevost on Apr 03, 2005.

  2. Gravatar

    Good article, but there are a couple of improvements to be made. This, for example:

    RewriteEngine On
    RewriteCond %{HTTP_REFERER} !^http://(www.)?example.com/ [NC]
    RewriteCond %{HTTP_REFERER} !^$
    RewriteRule .(jpe?g|gif|png)$ images/no_hotlink.jpg [L]

    As I read it, it will disallow requests with non-blank Referers that don't come from example.com. I have heard that there are several "firewall" applications that change the Referer header to something like "Blocked by [firewall]".

    What is probably best is to block Referers that:

    a) aren't blank,
    b) don't match the domain, and
    c) begin with 'http://'.

    The other problem is with the flags you use to do the redirect. [L] is quite proper, of course, there's no need to process any more rewrite rules, but you are missing the R flag to redirect externally - the default is to perform the redirect internally.

    The difference is that if an external website links to two images, /image-a.jpeg and /image-b.jpeg, the rule as it stands will serve your forbidden image as two separate resources. With the R flag, it will redirect both to the forbidden image, which will be served as the same resource in both cases.

    When you are attempting to save bandwidth, the difference between serving two independent resources and serving a single resource may well be significant, as a typical visitor to the external site will only be downloading a single copy of the forbidden image from you rather than two copies under different URIs.

    More info:

    http://httpd.apache.org/docs-2.0/mod/mod_rewrite.html#redirect

    Posted by Jim Dabell on Apr 04, 2005.

  3. Gravatar

    Jim - I've added the [R] flag as you suggested. I've been mulling the other suggestion over, and I think it has merit; however, I am not sure how to compose the rewrite rule to handle it.

    Posted by Simon Jessey on Apr 05, 2005.

  4. Gravatar

    I think an extra RewriteCond will do the trick:

    RewriteCond %{HTTP_REFERER} ^http:// [NC]

    Posted by Jim Dabell on Apr 05, 2005.

  5. Gravatar

    I have no way of testing it, but I'll add it and see what happens. I'll credit you in the revised article, so you can share the blame :D

    Posted by Simon Jessey on Apr 05, 2005.