TGPs Rule!
Go Back   TGPs Rule! > Main Category > Tgp Site & Traffic Trade Tutorials
User Name
FAQ Members List Calendar Search Today's Posts Mark Forums Read

Thread Tools Search this Thread Display Modes
Old 08-20-2004, 06:42 PM
hacktic's Avatar
hacktic hacktic is offline
Junior Member
Join Date: Aug 2004
Posts: 6
hacktic is on a distinguished road
Default .htaccess Anti-Hotlink Tutorial

Posting it here again by request

Hey! That's mine!

If a 100K .jpg is hotlinked on a site that gets, say, 1,000 hits a day, that's 100MB of data transferred from your site without a single person actually visiting your site. If you pay money per gigabyte -- this can add up. And if someone were to leech an entire gallery from your site ?

Will My Host Support It?

This is probably the hardest question to give a simple answer to. Many hosts support .htaccess but don't actually publicise it and many other hosts have the capability but do not allow their users to have a .htaccess file. As a general rule, if your server runs Unix or Linux, or any version of the Apache web server it will support .htaccess, although your host may not allow you to use it.

A good sign of whether your host allows .htaccess files is if they support password protection of folders. To do this they will need to offer .htaccess (although in a few cases they will offer password protection but not let you use .htaccess). The best thing to do if you are unsure is to either upload your own .htaccess file and see if it works or e-mail your web host and ask them.

Potential Problems

This method relies on the HTTP_REFERER variable (the variable that contains information about the referring page) being properly sent by the visitor's browser. A number of modern browsers as well as some of the anonymous surfing proxies and firewalls allow the user to change this header. These browsers or proxies will thus either transmit HTTP_REFERER headers that have some user-specified value or not bother to transmit them at all. There are also buggy browsers around that unpredictably transmit the wrong HTTP_REFERER header on occasion.

When this occurs your visitor may not be able to view the image even when he is on your site.
Hopefully the percentage of people who encounter this is small, but you have to be aware that these situations do occur.

Now it gets interesting

The usual approach is to instruct the server to deny all requests for images where the HTTP referer header is not either from your own site (or blank). Thus, only people actually browsing your web site - or those whose browsers are not passing referrer headers for whatever reason - will be able to see the image.

A second approach is to redirect off-site traffic to an alternate image - either a general "hotlinking denied" image, or (in the case of some mischievous webmasters) something more shocking. That's what we will do.

Add the following code to your .htaccess file:

RewriteEngine On RewriteCond %{REQUEST_FILENAME} .*jpg$|.*gif$|.*png$ [NC] RewriteCond %{HTTP_REFERER} !^$ RewriteCond %{HTTP_REFERER} !yoursite\.com [NC] RewriteCond %{HTTP_REFERER} !friendlysite\.com [NC]* * RewriteCond %{HTTP_REFERER} !google\. [NC] RewriteCond %{HTTP_REFERER} !search\?q=cache [NC] RewriteRule (.*) /denied.jpg

Let's go through this one line at a time. RewriteEngine On gets mod_rewrite ready to do its stuff. First come the conditions:

RewriteCond %{REQUEST_FILENAME} .*jpg$|.*gif$|.*png$ [NC]

Okay. First condition: the file name must end in .jpg, .gif, or .png. This makes sure our hotlink prevention only triggers on images. You might want to change this to include .avi, .mpg, or other similar files.

RewriteCond %{HTTP_REFERER} !^$

Second condition: the referrer must not be blank. This means that people who aren't passing referrer headers, for whatever reason, will still be able to see your images.

RewriteCond %{HTTP_REFERER} !yoursite\.com [NC] RewriteCond %{HTTP_REFERER} !friendlysite\.com [NC]

These next conditions allow linking from your own site, and any other friendly sites that you want to allow linking from. Change the sites to your own, of course. Apache isn't psychic.

(Don't know what the ! \ .*$ is all about? It's a regular expression. If you keep the format the same, you don't need to worry about it.)

RewriteCond %{HTTP_REFERER} !google\. [NC] RewriteCond %{HTTP_REFERER} !search\?q=cache [NC]

Okay. Finally, let's let Google get through. These last conditions allow people using the Google cache and Google Image Search to see your pictures. (You might want to remove this if you don't want people to find your pictures this way)

On to the last line of the .htaccess file, which is:

RewriteRule (.*) /denied.jpg

This last rule silently redirects the request to /denied.jpg . Thanks to the wonder of Apache, this will automatically include all necessary slashes and path information, and not be visible to the end user.

Note:* For some reason, the HTTP specifications misspell "referrer" as "referer".

I gotta question;
is the .jpg, .gif in this line case sensitive?
RewriteCond %{REQUEST_FILENAME} .*jpg$|.*gif$|.*png$ [NC]

in otherwords if I have pics named pic1.JPG
will this still prevent hotlinking or should the all caps version be added?

the [NC] at the end of each line = No Case
This makes the condition pattern case insensitive, no difference between 'A-Z' and 'a-z'.
Reply With Quote
Old 12-03-2004, 04:05 PM
truthhurts's Avatar
truthhurts truthhurts is offline
Join Date: Dec 2004
Posts: 68
truthhurts is on a distinguished road

truth: now that's a good thread finally!
Reply With Quote

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump

All times are GMT -5. The time now is 09:26 AM.