Prevent Hotlinks To Your Images

Hotlinking is when another website tries to include an image hosted on your website in their web page via “<IMG></IMG>” tags. This is a form of image theft and copyright infringement where they are using your intellectual property without your permission. I have included code similar to this sample code below in the .htaccess file placed at the root folder of my website. The basic policy that this institutes is that all hotlinking is forbidden unless explicity granted. Here are some guides to help you understand the sample code.

  • The exclaimation point in each statement means “NOT” or “doesn’t match”.
  • The carat (^) sign means “starts with”.
  • The string “http(s)?” matches http or https.
  • The string “(www\.)?” matches websites with or without the “www” prefix.
  • The string “[NC]” means “not case sensitive”.
  • The HTTP_REFERER variable means the webpage on which the hotlink appears.
  • The REQUEST_FILENAME variable means the filename requested (being hotlinked).

In the same code, if your site doesn’t match A or B or …, you get a different image with a nasty message.

#
# Turn on URL rewrite
#
RewriteEngine on
#
# Use my website's root folder as the reference base
#
RewriteBase /
#
# allow hotlinks with no referer provided
# (some browsers strip HTTP_REFERER for privacy)
#
RewriteCond %{HTTP_REFERER} !^$ [NC]
#
# always allow my own website to display images
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?roweimages.com [NC]
#
# photography message boards
RewriteCond %{HTTP_REFERER} !^http://www.pdngallery.com [NC]
RewriteCond %{HTTP_REFERER} !^http://www.musicphotographers.net [NC]
RewriteCond %{HTTP_REFERER} !^http://www.travelphotographers.net [NC]
#
# miscellaneous
RewriteCond %{HTTP_REFERER} !^http://labs.adobe.com [NC]
#
# always allow "nohotlinks.jpg" to be displayed
RewriteCond %{REQUEST_FILENAME} !nohotlinks.jpg$ [NC]
#
# if you get here, you get a nasty image instead
RewriteRule \.(jpg|jpeg|png|gif)$ nohotlinks.jpg [NC,R,L]

If a site tries to hotlink to one of my image files that is not explicitly granted permission, this is what they see instead.

Before I instituted this .htaccess file, I had lots of hotlinks to my concert photographs. After I instituted this, all forbidden hotlinking stopped. This works on Apache web servers. There are ways to do something similar on Microsoft IIS, but I don’t have instructions for doing that. Feel free to copy-n-paste this code and customize it for your site.

You can learn more about .htaccess here: http://www.javascriptkit.com/howto/htaccess10.shtml


Author: Walter Rowe | Category: Business, Legal, Security | Comments(0) July 2008

Leave a Reply

You must be logged in to post a comment.