1. Home
  2. Forums Index
  3. Server Side / Apache Web Server 4:49 am May 2, 2026

Forum Moderators: phranque

Message Too Old, No Replies

What's wrong with my antihotlinking code?

         

Kickedout

1:12 pm on Oct 29, 2010 (gmt 0)

10+ Year Member



Hi

I have this in .htaccess but is not working at all, all test for antihotlinking shows my images instead my replacement image...
What's wrong? 



#anti-hotlinking 
RewriteEngine on 
RewriteCond %{HTTP_REFERER} . 
RewriteCond %{HTTP_REFERER} !^http://(.+\.)?my-domain\.com\.ar/? [NC]
RewriteCond %{HTTP_REFERER} !(google|msn|yahoo|picsearch|altavista|ditto|ask|live|aol|terra|alltheweb|pixsy|mamma|bing|ixquick|metacrawler|grippo)\. [NC]
RewriteCond %{HTTP_REFERER} !search\?q=cache [NC]
RewriteRule .*\.(gif|jpg|jpeg|bmp|png)$ http://i42.tinypic.com/foo.jpg [R,L]


Note: foo.jpg doesn't exist but I don't want this post to be edited for posting my replacement image.

jdMorgan

2:35 pm on Oct 29, 2010 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



There is nothing inherently wrong with this code, but unfortunately, you did not describe how you tested it and *how* it fails -- in what specific way it "does not work."

The only improvement I would recommend is to modify the rule (which should work even as it is) to 
 RewriteRule \.(gif|jpe?g|bmp|png)$ - [F]

to simply return a 403-Forbidden response (don't wast bandwidth or server resources on hotlinks).

Note the efficiency tweaks to the pattern.

If you want to serve a "replacement image" from your own site, then that image must be explicitly excluded from this rule using a RewriteCond like 
 RewriteCond %{REQUEST_URI} !^/foo\.jpg$

otherwise you will get an 'infinite' loop, because the redirected requests for "/foo.jpg" will trigger the anti-hotlinking code as well.

When testing this code, you must delete your browser cache after each step of the test. Otherwise, if an "allowed" request is made, then the image and the 200-OK response will get cached in your browser. Then when you test the "not-allowed request" your browser will show you the cached image and 200-OK, and it will appear that your code did not work.

Conversely, if your browser caches a "not-allowed" response, then when you test an "allowed request" you will see the cached "not allowed" response.

So either disable your browser cache completely while testing, or delete it after each step of your testing.

Jim
 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

  1. Home
  2. Forums Index
  3. Server Side / Apache Web Server 4:49 am May 2, 2026