Go https or risk block those not sending referrers at all from seeing images as well as those on hotlinking sites.

How can an http site block image hotlinking with .htaccess if an increasing section of the web does not supply the server with a referrer?

Short of blocking all referer-less requests--and whitelisting known search engines--you can't.

Well, you can, but it probably isn't worth the trouble. You'd have to set up a very-short-lived database of IPs that have requested a page within the last 60 seconds or 5 minutes or whatever is appropriate, and allow only those IPs to receive images associated with any given page. (No, I have no idea how to do this. But I think it's what you would have to do.)

But wait. You said that your own site isn't https. So where are these referer-less requests coming from? Seems like, by definition, they're not coming from your own site. So just block them.

Edit: In recent months, I've seen a big upsurge in referer-less image requests from mobiles, particularly Androids. So far I haven't figured out how to verify it, but I'm pretty sure they're not viewing the real, full-size image. I think it's coming from image search. My solution, based on my specific individual circumstances*: ignore them.


* The vast majority of the requests involve public-domain images associated with various ebooks, where my own contribution was just a few minutes of sweat-of-the-brow. SInce I knowingly and intentionally put the stuff online, I can hardly complain if people are looking at the pictures without reading the words.

But wait. You said that your own site isn't https. So where are these referer-less requests coming from? Seems like, by definition, they're not coming from your own site. So just block them.

I think geekay is noting that https => http = no referrer.

Edit: ah, I see. For an internal referrer it makes no difference! I totally missed your point :)

I pretty much let go of attempts to control image hot-linking after Google & Bing forced us to allow access to everything on the page or get errors in their tools.

However, I do still block well known image scraper UAs and block image referrers to forum|gallery|thread|blog|edit|upload|etc...

I usually ignore the occasional hot-link I see in logs unless they become an issue.

Here is a long and interesting, pre-https era (2013), discussion about blank referrers in hotlinking prevention:
[webmasterworld.com ]
lucy24 noted in that thread: "But it is well-nigh impossible to block all referer-less requests without preventing some real humans from seeing your pictures".

Now my question was not, like much in that thread, about Google image search (which has since changed how it operates). But matrix_jan said it: "Personally I want all possible bots to index my images. I just don't want my images to get hotlinked." Therefore I have always made exceptions for G and B, like !^https://(www\.)?google\. and several variations of it (as I do not know what precisly is required nowadays.)

In [webmasterworld.com ] (2012)
lucy24 said: "In fact that was my original reason for exempting blank referers in the hotlinking routine".
keyplyr: "I certainly would not block no referrer, unless it is combined in a rule with other specifics".
incrediBILL: "When it comes to images no referrer SHOULD be blocked to avoid hot-linking because the images should be referred from the page loading them".

jdMorgan on Sept 2, 2003: "Just be aware that many legitimate users will have a blank referrer - that is why it's allowed in most of the code you see here. Any user who comes through an ISP or corporate proxy, or who uses Norton Internet Security may have a blank referrer. You'll have to decide whether losing them is worth the cost of blocking blank referrers".

This has gone beyond https now, but I am confused. I have an image-heavy non-profit information site and in the hope of getting visits to pages I welcome indexing by image search engines. But due to some bandwidth considerations hotlinking from other people's sites ought to be avoided.

BTW if you have any mobile traffic, that dynamic changes even more.