Prevent hotlinking of your site images

A common problem with image intensive sites is “Image-Theft” also known as hotlinking. If your site hosts images that other sites are linking to, it can cause a substantial increase in your bandwidth costs. For small sites who pay by the gigabyte’s this can be quite a problem. For example, if a hotlinked image of 150K from your site is being accessed 1000 times a day, then that’s around 145MB of wasted data transferred from your site daily. Add a few more images and the bandwidth costs quickly add-up. A simple way is to use .htaccess to disallow other sites from hotlinking to your images.

The Rewrite rule

Below is shown the complete htaccess rule to prevent image hotlinking. The details of each line are given next.

RewriteEngine On
RewriteCond %{HTTP_REFERER} !^http://(.+\.)?codediesel\.com/ [NC]
RewriteCond %{HTTP_REFERER} !^$
RewriteRule .*\.(gif|bmp|png|jpe?g)$ /var/www/images/hotlink.gif [L]

RewriteRule breakup

The first line kicks the htaccess Rewrite engine into action. The second condition checks to see if the image is requested from our own site. If you have another site that you want to be able to link to your images, then add it to your .htaccess. The [NC] at the end is a no-case flag, a rule with this flag will not care whether the text that we are considering is uppercase or lowercase. The default behavior of the RewriteRule directive is to be case sensitive.

# Only allow image linking for 'codediesel.com' and 'friendly-site.com'

RewriteCond %{HTTP_REFERER} !^http://(.+\.)?codediesel\.com/ [NC]
RewriteCond %{HTTP_REFERER} !^http://(.+\.)?friendly-site\.com/ [NC]

The third condition ensures that we accept requests made directly for the image without a referer. This makes sure that we display the images even if for some reason a user-agent sends a empty referrer.This can happen for a variety of reasons. Some browsers, for reasons of privacy can be configured never to return referer information.

RewriteCond %{HTTP_REFERER} !^$

The last line specifies that the file names end in .jp(e)g, .gif, .bmp, or .png. This ensures that the Rewrite rule is only triggered for images and not for other files. When an attempt is made to hotlink a image from a domain other than the ones specified, the image given below will be returned, ‘myhotlink.gif’ here.

RewriteRule .*\.(gif|bmp|png|jpe?g)$ /var/www/images/myhotlink.gif [L]

A variation of this is to use the forbidden flag.

RewriteRule .*\.(gif|bmp|png|jpe?g)$ - [F]

Testing if your htaccess rule is working

A quick way to test if your hotlinking blocking rules are working is use a free online hotlink checker. Or create a simple HTML on your localhost and add a link to your image. Before checking make sure that your browser cache has been cleared.

<html>
<body>
<img src="http://www.your-site.com/images/sample-image.png" />
</body>
</html>

Although there are some other ways to prevent image hotlinking, this is the quickest that I know of. As with any htaccess rewrites, you may block some users behind proxies or firewalls using these techniques.

One thought on “Prevent hotlinking of your site images

  1. I was having some issues regarding hotlinking with some forum lately. Besides the .htaccess part I decided to have some fun with the hotlinkers so I’m redirecting the referer to a PHP script to log the hotlinker and do some funny stuff.

    Have a look at my site to see how it works.

Comments are closed.