Hotlink Protection Tutorial (Apache Server - .htaccess files)

**NeutralizeR** · 07-25-2006 08:36 AM

What is hotlinking and bandwidth theft?

Bandwidth theft or "hotlinking" is direct linking to a web site's files (images, video, etc.). An example would be using an <img> tag to display a JPEG image you found on someone else's web page so it will appear on your own site, eBay auction listing, weblog, forum message post, etc.

Bandwidth refers to the amount of data transferred from a web site to a user's computer. When you view a web page, you are using that site's bandwidth to display the files. Since web hosts charge based on the amount of data transferred, bandwidth is an issue. If a site is over its monthly bandwidth, it's billed for the extra data or taken offline.

A simple analogy for bandwidth theft: Imagine a random stranger plugging into your electrical outlets, using your electricity without your consent, and you paying for it.

How Do I know I am hotlinking?

This is how you might display an image graphic file in the HTML on your own web page:

HTML Code:

<img src="image.jpg" height="350" width="200">

This tag tells the site to request the file image.jpg on the same server as the rest of the files on the site. If you were to hotlink an image from an outside server, the HTML might look like this:

HTML Code:

<img src="http://notmysite.com/image.jpg" height="350" width="200">

This tag tells the site to request the image.jpg from a different server other than your own. Every time the page is loaded, the outside server has to use its bandwidth to display the image. To avoid this problem, don't link to files on servers that don't belong to you. To share images and files on your own web page, upload them to your own server's directory or to a free image hosting service that allows direct linking.

Why should I stop hotlinking?

Hotlinking can have a lot of undesirable consequences. One is the so-called "switcheroo". If you've linked to an image on someone's server, what's to prevent them from changing the image you linked to? This can have humorous results. Since most sites, forums, etc. have strict policies about offensive images, it wouldn't take much for an aggravated webmaster you've been stealing bandwidth from to shut you down completely with an unwanted "switcheroo".

Displaying an image or file that doesn't belong to could be a violation of copyright, making you open to litigation. The owner of the file could utilize DMCA law to have your site shut down and your information given for use in legal proceedings.

How can I test to see if my image can be hotlinked?

Use our URL hotlink checker below to check the hotlinking protection (such as an htaccess file) on your web site. Enter the complete URL below (ex: http://mysite.com/image.jpg) to see if your image can be loaded and hotlinked by an outside server.

Click to go to the Resource & Test Page

******************************************
******************************************
******************************************
Following text may not be an ultra professional experience but i've been using these techniques for 2 years and they are working great for me.

I've been running two dedicated servers and i've full control over them (my .htaccess file lines included in my httpd.conf file). If your hosting is shared and got some restrictions to use .htaccess files on your account, you should contact your hosting company first to enable them.
Notice: .htaccess files can only be used by Apache web servers and they will not work on a windows system.

Hotlink Protection Enabled .htaccess File Tutorial

-Create a new TXT file named *'sample.htaccess' and open it with your text editor (NotePad). *Windows users won't be able to create it as '.htaccess' so you have to rename 'sample.htaccess' to '.htaccess' after it's been uploaded to your server.

-Copy and paste the following lines to 'sample.htaccess' file:

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://www.yourdomain.com/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://www.yourdomain.com$ [NC]
RewriteRule .*\.(jpg|jpeg|gif|png|bmp|swf)$ http://www.yourdomain.com/forum/ [R,NC]

-Change http://www.yourdomain.com with your domain name.
-Upload 'sample.htaccess' file to your web server's root and rename it to '.htaccess'.

Read the following text to figure out how to customize your own .htaccess file.

RewriteCond %{HTTP_REFERER} !^$ = Allow direct requests (ie. entering the url to an image in your browser). People can't publish your image files at their own web pages but they still can view them by entering their url in the browser window. These images can also be viewed (shared) by clicking on their urls in Instant Messenger windows.

[NC] = "No Case", meaning match the url regardless of being in upper or lower case letters.

[R] = Redirect

*(jpg|jpeg|gif|png|bmp|swf) = Files to block

I used to redirect blocked files to a custom .jpe image file. If you prefer this option, you should use the following .htaccess file:

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://www.yourdomain.com/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://www.yourdomain.com$ [NC]
RewriteRule .*\.(jpg|jpeg|gif|png|bmp|swf)$ http://www.yourdomain.com/nohotlinking.jpe [R,NC]

Upload a tiny jpg file with a text on it like "Hotlinking is not allowed!" and change it's extension to .jpe. This JPEG image is using the extension jpe instead of jpg to prevent blocking your own replacement image.

My .htaccess file:

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^http://www.msxlabs.org/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://www.msxlabs.org$ [NC]
RewriteRule .*\.(mp3|mpeg|mpg|ram|rm|wma|wav|asx|wmv|avi|mov|z ip|rar|exe)$ http://www.msxlabs.org/forum/ [R,NC]

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://www.msxlabs.org/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://www.msxlabs.org$ [NC]
RewriteRule .*\.(jpg|jpeg|gif|png|bmp|swf)$ http://www.msxlabs.org/forum/ [R,NC]

This .htaccess file redirects people to my forum homepage who are trying to access the file types which are listed in the blocked files list.

First piece of lines got RewriteCond %{HTTP_REFERER} !^$ line as i don't want people to be able to access those kind of files directly. (The protection for the image files doesn't have that line)

If you don't want a redirection for (mp3|mpeg|mpg|ram|rm|wma|wav|asx|wmv|avi|mov|zip|r ar|exe), you can use replace that line with the following display your Error Code 404 page:

RewriteRule .*\.(mp3|mpeg|mpg|ram|rm|wma|wav|asx|wmv|avi|mov|z ip|rar|exe)$ [F,NC]

Example: 404 - MsXLabs

.htaccess files effect the folder it's in and all of the subfolders.

If you want to exclude a subfolder from the hotlink protection, create another .htaccess file with the lines below and upload it to that directory:

RewriteEngine on
RewriteRule ^.*$ -

IMPORTANT NOTE: PLEASE DELETE ANY EXTRA SPACES ADDED BY VBULLETIN. (jpg|jpeg|gif|png|bmp|swf) THERE SHOULD'T BE ANY SPACES BETWEEN THE EXTENSION TYPES.
Feel free to reply this thread if i made some mistakes

This tutorial is written by NeutralizeR @ MsXLabs Organization
Original Thread

**Juan Muriente** · 07-26-2006 02:56 PM

Excellent tutorial. Thanks for the contribution

**Lian** · 07-26-2006 04:12 PM

Good written and good hint, but: Don't forget that every mod_rewrite statement -especially ENV lookups- is causing the server's load to rise.

So I'd prefer to disable cross-linking via PHP code, see sample for vb2, which almost works the same way for vB3.

**NeutralizeR** · 07-26-2006 05:41 PM

Originally Posted by Lian

Good written and good hint, but: Don't forget that every mod_rewrite statement -especially ENV lookups- is causing the server's load to rise.

So I'd prefer to disable cross-linking via PHP code, see sample for vb2, which almost works the same way for vB3.

Thanks for your comments.

I've tons of zipped archives, animated gif images and swf files uploaded to my web server...they can be viewed via non-vbulletin pages and it's why i prefer this method.

Example page:
Windows Live Messenger Göz Kýrpmalarý - MSN Göz Kýrpmalar - MSN Göz Kýrpmalarý - Messenger Göz Kýrpmalarý - Winks - www.MsXLabs.org

**NeutralizeR** · 07-26-2006 05:48 PM

This image is located in a hotlink protected directory:

------- > It must be broken here. (Hotlink protected with forum home redirection)

This line allows it to be viewed by an empty referrer:

RewriteCond %{HTTP_REFERER} !^$

Copy the url below, open a new browser window and paste it to address bar:
http://www.msxlabs.org/images/acting...sxlabs.com.gif

Once it's cached by your browser, you can view the image above in this post, too.

I used to redirect hotlink protected image files to a small gif file which was located in a non-hotlink protected directory:

Non-image files are always being redirected to my forum homepage.

**Keith Cohen** · 07-26-2006 05:58 PM

I use the following, in the .htaccess in the root of my site, to show leech.gif in place of any hotlinked images/files:

Code:

RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://.*fireblades\.org.*$ [NC] 
RewriteCond %{HTTP_REFERER} !^https://.*fireblades\.org.*$ [NC] 
RewriteCond %{REQUEST_URI}  !^.*leech\.gif$ [NC]
RewriteRule ^.*\.(swf|bmp|gif|jpg|jpe|jepg|png|jpeg|avi|wmv|mpg|mpeg|wav|mp3)$ http://www.fireblades.org/images/leech.gif [NC,R,L]

This line excludes my leech file, and allows it to be shown:

Code:

RewriteCond %{REQUEST_URI} !^.*leech\.gif$ [NC]

**tanya** · 09-20-2006 06:46 PM

I just have a quick question about your .htaccess file. you re-wrote the same conditions for each RewriteRule. Is that neccessary?

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^http://www.msxlabs.org/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://www.msxlabs.org$ [NC]
RewriteRule .*\.(mp3|mpeg|mpg|ram|rm|wma|wav|asx|wmv|avi|mov|z ip|rar|exe)$ yourredirectlink.com [R,NC]

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://www.msxlabs.org/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://www.msxlabs.org$ [NC]
RewriteRule .*\.(jpg|jpeg|gif|png|bmp|swf)$ http://www.redirectlink.com [R,NC]

**briansol** · 09-21-2006 02:43 AM

I had this up for a while

hehe

**NeutralizeR** · 09-21-2006 10:02 PM

Originally Posted by tanya

I just have a quick question about your .htaccess file. you re-wrote the same conditions for each RewriteRule. Is that neccessary?

There were some special swf files which load the external images in the movie, that's why i let the empty referrers to access image files. Otherwise those image files called by a swf couldn't be loaded even they were all in my own web server.

I'm using the method below at the moment (in my httpd.conf file):

<Directory /home/msxorg/public_html>
Options All -Indexes
RewriteEngine on
RewriteCond %{HTTP_HOST} !^www\.msxlabs\.org
RewriteRule (.+) http://www.msxlabs.org%{REQUEST_URI} [R=301,L]
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://www.msxlabs.org/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://www.msxlabs.org$ [NC]
RewriteRule .*\.(jpg|jpeg|gif|png|bmp|swf|mp3|mpeg|mpg|ram|rm| wma|wav|asx|wmv|avi|mov|zip|rar|exe)$ MsXLabs Hi-Tech Forum - MaviKaranlik.com: “Karanlýðýn Mavi Yüzü...” [R,NC]
RewriteRule ^((urllist|sitemap).*\.(xml|txt)(\.gz)?)$ forum/vbseo_sitemap/vbseo_getsitemap.php?sitemap=$1 [L]
ErrorDocument 404 /forum/ [R=301,L]
</Directory>

**jackiem** · 09-24-2006 11:52 AM

Just great and very informative useful read. I used to block hotlinking by cpanel. Now I know more about .htaccess can do. Thank you

**Tefra** · 07-08-2007 07:07 AM

I know i am bumping this topic but it's probably the best place to get an answer.

I have a folder named files on my server that i use it to store the downloads and i have this htaccess

Code:

RewriteEngine on
RewriteCond &#37;{HTTP_REFERER} !^http://(www\.)?3dacc.net/(/)?.*$ [NC]
RewriteRule .*\.(gif|jpg|jpeg|png|zip|exe|rar)$  http://www.3dacc.net/list.php?c=files [R,NC]
Options -Indexes

It works ok but i want to achieve something better. I want the requested filename to pass on the script so i can do my stuff and redirect back to original page and not on a boring leech page.

I tried this but it only sends the extension of the file, how can i pass the whole filename ?

Code:

RewriteRule .*\.(gif|jpg|jpeg|png|zip|exe|rar)$  http://www.3dacc.net/list.php?c=files&file=$1 [R,NC]

**Oleg Ignatiuk** · 07-08-2007 10:06 AM

You should change it to:

Code:

RewriteRule (.*\.(gif|jpg|jpeg|png|zip|exe|rar))$  http://www.3dacc.net/list.php?c=files&file=$1 [R,NC]

**Tefra** · 07-09-2007 03:53 PM

Originally Posted by Oleg Ignatiuk

You should change it to:

Code:

RewriteRule (.*\.(gif|jpg|jpeg|png|zip|exe|rar))$  http://www.3dacc.net/list.php?c=files&file=$1 [R,NC]

Thanks to you i managed to achieve exactly what i wanted!

**mihai11** · 11-20-2008 04:53 AM

In which conditions this technique creates problems for legitimate users ?

I read some where that people behind firewalls or proxies might have trouble accessing the protected images.

Welll .... a lot of people are behind firewalls these days. Perhaps other webmasters can comment on what issues they faced when implementing hotlink protection.

**tyagikapil** · 06-08-2011 08:12 AM

Hello, Will adding the .htaccess hotlink protection cause load on the server by any way? I'm concerned after reading this statement...

Originally Posted by Lian

Good written and good hint, but: Don't forget that every mod_rewrite statement -especially ENV lookups- is causing the server's load to rise.

Hotlink Protection Tutorial (Apache Server - .htaccess files)

LinkBack

Thread Tools

Display

Hotlink Protection Tutorial (Apache Server - .htaccess files)

Similar Threads

.htaccess for hotlink protection

.htaccess files

Suggestion for a server problem

Version works only with apache server...

Posting Permissions