Apache Hot-Link Protection

Forum Moderators: phranque

Message Too Old, No Replies

Apache Hot-Link Protection

from .htaccess to scripting - what's the best way in 2010?

gethan

8:23 am on Feb 4, 2010 (gmt 0)

Due to the recent realisation that google is hot-linking to images [webmasterworld.com...] on a massive scale through ajax in Asia - I thought it was about time to open up a discussion on what are the pros and cons for various hot-linking prevention. (partly to help keep the original discussion on topic)

I currently use this method:


RewriteEngine On
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://([a-zA-Z0-9\-]+)\.yourdomain\.com [NC]
RewriteRule ^(.*\.jpg)$ http://www.example.com/no-hotlinking-example.jpg [R=302,L]

Note the image returned is on a second domain avoiding looping redirects. (unless it too has these rules)

A few alternatives were suggested - any more? any cons with this approach?

jdMorgan

4:03 pm on Feb 4, 2010 (gmt 0)

Your code will block Google's hotlinks as well, as long as the HTTP Referer header is non-blank. I cannot advise you on whether that's a good idea or not, because I don't know your site or the nature of your visitors. However, the code could do with some improvement:


RewriteEngine On
RewriteCond %{HTTP_REFERER} !^(http://([a-z0-9\-]+)\.example\.com.*)?$ [NC]
RewriteCond %{REQUEST_URI} !^/no-hotlinking-example\.jpg$
RewriteRule \.jpg$ http://www.example.com/no-hotlinking-example.jpg [R=302,L]

These modifications eliminate the need for a separate RewriteCond to check for a blank referrer, speed up the "my own domain" checking by removing the redundancy between using [a-zA-Z] *and* the [NC] flag, remove the requirement that the image be located separately or be given a non-standard name, and speed up the RewriteRule pattern by eliminating unnecessary regex.

Jim