Preventing hotlinking

From DreamHost
Jump to: navigation, search

What is hotlinking?

Hotlinking occurs when a website directly accesses, rather than links to, a resource (such as an image, or a video) on a remote site. Unless the remote site has some form of restriction in place, the browser visiting the site will render the remote resource as if it were part of the original site. If this is done without authorization, the action is considered a form of bandwidth theft. Unless cached, the remote resource is retrieved from the remote site every time the linking web page is accessed, costing the remote site bandwidth. This article presents possible methods of preventing this kind of activity; however, hotlinking has advantages as well as disadvantages, and both are addressed in a sister article.

Preventing image hotlinking via the panel

You can prevent image hotlinking from the DreamHost panel, under the Goodies section, from the htaccess/webdav tab.

https://panel.dreamhost.com/index.cgi?tree=goodies.webdav

Click the domain in question, then add a directory matching the directory you want to protect. Check the link protection section and add any extra allowed domains, if necessary, and submit the form. This will destroy any existing .htaccess file and you will not be able to make your own .htaccess file in this directory. This can disrupt CMS programs like WordPress or Joomla if they are installed to the same directory. In this case, you'll need to use the method below, instead.

Preventing bandwidth theft via .htaccess

The instructions provided in this article deal with hidden files.

If you are using an FTP program, you must configure it to show hidden files.
If you are using the shell, you must use the ls -a command to see hidden files.

The other way you can prevent hotlinking is by adding lines to your .htaccess file manually. If you do not already have an .htaccess file, you can create one in a text editor - note the strange filename ".htaccess". In the code below, your domain is assumed to be www.example.com. You will need to change the code to reflect your own domain name. Note also that UNIX is case-sensitive, so if you have uppercase file extensions you will need to specify them in your rewrite rules (see first example below). Also, no changes to the below examples are necessary regarding whether or not your website is configured to use www or no www.

Note: According to a divaHTML article, the HTTP_REFERER value may not always end with a slash, depending upon the browser. For instance, a browser may specify the value http://www.example.com as the HTTP_REFERER. The regexp pattern http://(www\.)?example\.com(/.*)*$ will match the exact values http://www.example.com and http://www.example.com/ and will match strings that start with the http://www.example.com/ prefix. At the same time, this regexp pattern will not match strings in which a character other than a slash comes after the http://www.example.com prefix (i.e. the http://www.example.comtest.example.org string.)

Preventing bandwidth theft

This method will deny the remote domain access to specified resources, and stop your bandwidth from being stolen.

Blocking specific domains

The following code will return a 403 Forbidden error instead of the requested image, but only when the image has been requested by badsite.net or badsite.com:


 RewriteEngine On
 RewriteCond %{HTTP_REFERER} ^http://(www\.)?badsite\.net(/.*)*$ [NC,OR]
 RewriteCond %{HTTP_REFERER} ^http://(www\.)?badsite\.com(/.*)*$ [NC]
 RewriteRule \.(jpeg|JPEG|jpe|JPE|jpg|JPG|gif|GIF|png|PNG|mng|MNG)$ - [F]

Note that in the above example, only images (that have lower-case file extensions) are being protected. To protect other resources, such as video and audio files, add additional extensions to the Rewrite Rule parentheses block.

Blocking most domains

The following code will return a 403 Forbidden error instead of the requested resource, unless requested from example.com or livejournal.com (note that one of the allowed sites should be the domain where the resource is actually used):


RewriteEngine On
RewriteCond %{HTTP_REFERER} !^http://(www\.)?example\.com(/.*)*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://(www\.)?livejournal\.com(/.*)*$ [NC]
RewriteCond %{HTTP_REFERER} !^$
RewriteRule \.(jpeg|gif|png)$ - [F]

In addition, since a user agent may not always specify an HTTP_REFERER value, the RewriteCond %{HTTP_REFERER} !^$ line allows the request to go through if the HTTP_REFERER value consists of a blank string.

Blocking all domains

The following code will return a 403 Forbidden error instead of the requested resource, unless the referrer is example.com, which should be changed to the domain of the site where the image is used:


RewriteEngine On
RewriteCond %{HTTP_REFERER} !^http://(www\.)?example\.com(/.*)*$ [NC]
RewriteCond %{HTTP_REFERER} !^$
RewriteRule \.(jpe?g|gif|png)$ - [F]

As with the previous example, the RewriteCond %{HTTP_REFERER} !^$ line allows the request to go through if the HTTP_REFERER value consists of a blank string.

Replacing images

This method will still result in bandwidth theft, but it will protect your images. Bandwidth theft may reduce eventually as people learn linking your images will not work.

Please note that some programs (phpBB, for example) seem to recognize the 302 status caused by the following methods as an error condition, and start repeatedly retrying until the user browses to another page.

Replacing the image

The following code will cause the remote server to display no_hotlink.jpg instead of the requested image:


RewriteEngine On
RewriteCond %{HTTP_REFERER} !^http://(www\.)?example\.com(/.*)*$ [NC]
RewriteCond %{HTTP_REFERER} !^$
RewriteRule \.(jpe?g|gif|png)$ images/no_hotlink.jpg [L]

Allow certain hotlinking

The following code will cause the remote server to display no_hotlink.jpg instead of the requested image, unless the image has been requested from a specified directory ("dir"):


RewriteEngine On
RewriteCond %{HTTP_REFERER} !^http://(www\.)?example\.com/dir/ [NC]
RewriteCond %{HTTP_REFERER} !^$
RewriteRule \.(jpe?g|gif|png)$ images/no_hotlink.jpg [L]

Block specific domains

The following code will cause the remote server to display no_hotlink.jpg instead of the requested image, but only when the image has been requested by badsite.net or badsite.com:


RewriteEngine On
RewriteCond %{HTTP_REFERER} ^http://(www\.)?badsite\.net(/.*)*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://(www\.)?badsite\.com(/.*)*$ [NC]
RewriteRule \.(jpe?g|gif|png)$ images/no_hotlink.jpg [L]

See Also