Welcome to WebmasterWorld!

HTTP_HOST refers to *your* server, so you'd want to use REMOTE_HOST or REMOTE_ADDR if you want to block access by a foreign server to your server -- For example, if that server is downloading your site once a week or something.

If you are trying to stop another site from linking to your site or INCluding your images or scripts on their pages, then you'd use HTTP_REFERER. But be advised that this is not a 100% solution, for two reasons:

First, not all clients will provide the REFERER header in their request. Some "Internet Security" software will block that header. Clients behind corporate or ISP caching proxies will have their requests passed through the proxy, which may remove the header. And second, some browser extensions allow the user to enable/disable the header at will.

So what that means is that you'll need to allow for blank referrers (allow access), and put up with a few successful 'hotlinks.' Otherwise, you run the risk of making *your* site look broken to legitimate visitors. This can keep your help desk quite busy handling complaints if you're lucky, or just cost you business if you're not.

The good news is that even though some hotlink requests may get through, the hotlinker's site is the one that will look broken to those clients whose browsers do supply a referrer. And the problem will appear from the hotlinking site's perspective as being an intermittent problem -- tougher to troubleshoot than a repeatable problem.

If you need better security, then a cookies-based scripted approach is better, but obviously more complex.

As far as handing www1, www2, www3, etc., that's simple. Write your regular-expressions pattern to accept "www<anything>.hotlinker.com" as the referrer to block.

Jim