Home/Linux Howtos/How to prevent hotlinking images on Apache server using mod_rewrite

How to prevent hotlinking images on Apache server using mod_rewrite

How to prevent hotlinking images on Apache server

The Problem: People are leeching your bandwidth

People are lame and scummy. They are running eBay auctions, are too cheap to host their own photos so they decided to hotlink to your images from their web pages and they are sucking your bandwidth. If you were running Microsoft IIS you'd have to either install a buggy ISAPI plugin or just deal with it, but since you are running apache web server on a *nix box you have real solutions available.

Apache and Linux give you options

With apache web server, you have options available. You can simply block the hotlinking from other web pages, or you can have fun. For example, if you sell children's toys and some lamer has linked to an image of a child's toy on your web site, what you can do is substitute another image (oh, I don't know, like a photo of a box of rusty nails, broken glass or a picture of "Chucky" from the "Child's Play" horror movies) -- or you could do worse.

You can have fun with it: Imagine someone selling a nice 32" thin-panel LCD television - only they decided to link their web page to your images, and you're on a metered web host. I'd seek revenge by taking a picture of an old smashed-up mud-covered 13-inch black-and-white television set from the dump, and switching that in the thin-panel LCD television's place.

It's a question of ethics

There are two schools of thought on dealing with leeches: one is: is it right to sabotage their sales? The other is: "I'm going to make that there bastid pay for what he done!" -- my school of thought is the latter. The reason is this: When people hotlink to images on my web site, without my permission, they are stealing from me; they are taking my bandwidth, and what's worse, using my corporate resources for their gain AND effectively slowing down my own web sites. Therefore I show no mercy to lamers and leeches. They know what they're doing and don't care about consequences - until you turn the tables on them. Think of it as a deterrent, preventing future incidents.

I'll show you how to use both options, and leave it up to you. Think about it: It's your choice.

Prerequisites

  • mod_rewrite must be loaded
  • AllowOverride must be enabled
  • FollowSymLinks must be enabled

For the sake of this example, we will assume that your website url is www.yourdomain.com, the file that is being hotlinked is widget.png, and the web page where the hotlinking is coming from is ebay.com (very common).

The Solution: using mod_rewrite and .htaccess to forbid hotlinking


RewriteEngine On
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?yourdomain.com/.*$ [NC]
RewriteCond %{HTTP_REFERER} ^(www\.)?ebay.com/.*$ [NC]
RewriteRule widget\.png$ - [F]

When placed in your .htaccess file this will prevent hotlinking of widget.png by any ebay auctions.

This rule explained:

1. First the RewriteEngine (the mod_rewrite module apache loaded) is turned on

Note: RewriteEngine only needs to be turned on once before any conditions or rules are defined. You do not need to turn it on, on a per-rule basis. In fact setting RewriteEngine On multiple times will result in a server error.


RewriteEngine On

2. next, for any requests coming in with an http referrer, which does NOT match www.yourdomain.com or yourdomain.com, NOT case sensitive. . .


RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?yourdomain.com/.*$ [NC]

3. and the referrer IS www.ebay.com, or the referrer IS ebay.com


RewriteCond %{HTTP_REFERER} ^(www\.)?ebay.com/.*$ [NC]

4. for the file widget.png, send nothing, and forbid access (send a 403 Forbidden response header)


RewriteRule widget\.png$ - [F]

Alternatively: prevent hotlinking of all images (well, all .gif, .jpg/.jpeg, .png, and .bmp files) from ebay


RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?yourdomain.com/.*$ [NC]
RewriteCond %{HTTP_REFERER} ^(www\.)?ebay.com/.*$ [NC]
RewriteRule \.(gif|jpe?g|png|bmp)$ - [F]

Prevent hotlinking of all images (well, all .gif, .jpg/.jpeg, .png, and .bmp files) from anywhere but your own site


RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?yourdomain.com/.*$ [NC]
RewriteRule \.(gif|jpe?g|png|bmp)$ - [F]

The "Fun" Solution: using mod_rewrite and .htaccess to seek revenge

Now that you understand how to forbid access to your images, we can provide an example with an image substitution and you will be able to follow along.


#RewriteCond %{HTTP_REFERER} !^$
#RewriteCond %{HTTP_REFERER} !^http://(www\.)?yourdomain.com/.*$ [NC]
#RewriteCond %{HTTP_REFERER} ^(www\.)?ebay.com/.*$ [NC]
#RewriteRule flatpanelTV.jpg images/crappysmashedTV.gif [L,NC]