jdMorgan - 5:04 pm on Feb 1, 2005 (gmt 0)

riki,

Welcome to WebmasterWorld!

There's no foolproof way to tell the difference between a link on a page including your images and a direct access to your image. This is because the HTTP_REFERRER header is notoriously unreliable. A few searches on WebmasterWorld for 'hotlinking' will turn up a lot more details on why this is so.

In addition, you cannot redirect from an image file to an HTML page file -- The browsers can't handle that.

Looking at your code, the first RewriteCond is misplaced, and should either be moved into the rule-set or commented out. Also, you may want to consider using an internal rewrite, rather than a redirect -- simply substitute your hotlink image for the requested image inside your server. This method does not require the cooperation of the client, and so keeps them unaware of the image substitution.

Changing that, and removing several instances of unneccessary leading and trailing ".*" sub-patterns, the code looks like this:

Options +FollowSymlinks
RewriteEngine On
RewriteCond %{HTTP_REFERER} .
RewriteCond %{HTTP_REFERER} !^http://(www\.)?mydomain\.com [NC]
RewriteCond %{HTTP_REFERER} !^http://(www\.)?myfriends\.org [NC]
RewriteCond %{HTTP_REFERER} !^http://(www\.)?mywork\.com [NC]
RewriteRule \.(gif¦jpg¦jpeg¦png¦swf)$ /img/antileech.gif [NC]

This implements what I'd consider 'best practices' for casual-hotlink protection. It will prevent 'easy' hotlinking and dissuade people who don't know it's wrong and who don't know how to get around your blocking. It is easy and simple, but it won't help against a determined hotlinker.

If you need better protection, then you'll need to use a script-and-cookies-based approach; You set a cookie on an 'authorizated' page of your site, and then use a script to serve images only if the correct cookie is present in the image request. Images are kept in a directory accessible only to the script, and not via the Web. So, the script acts as an 'image server' on your site.

Jim