> at least 2 of the worst offenders are still able to hotlink to my images.

How did you determine this? In other words, what test procedure was used?

Did you flush your browser cache between each test?

I'm asking because it's often a matter of "this did not meet my expectations" rather than a matter of "the code did not work" (technically). Because access control by referrer is never a 100% proposition (referrers can be faked or blank) and because the browser cache can interfere with test results (by displaying a locally-cached image instead of sending the request to your server, where your code can block it), there are a lot of "mystery problem" posts caused by these misunderstandings.

Your code allows only the listed referrers, and disallows all others unless the referrer is spoofed. However, it will also prevent any visitors (even legitimate ones) who connect to your site through their corporate or ISP's caching proxy from seeing images; They will think your site is broken.

Jim

Hello jdM,

"> at least 2 of the worst offenders are still able to hotlink to my images.

How did you determine this? In other words, what test procedure was used?"

I was going through my "referrer" stats clicking links. For the 2 URLs (they are 2 of the big community sites)

"Did you flush your browser cache between each test?"

Yes I did. Flushed the cache, closed the browser, reopened the browser.

"I'm asking because it's often a matter of "this did not meet my expectations" rather than a matter of "the code did not work" (technically)."

Yes, that is my situation. I can't know if the code is or is not working technically .. but the images are being displayed via a direct link.

"Your code allows only the listed referrers, and disallows all others unless the referrer is spoofed. However, it will also prevent any visitors (even legitimate ones) who connect to your site through their corporate or ISP's caching proxy from seeing images; They will think your site is broken."

I suppose I was looking for an easy solution. My Google cached page was not showing images, and when I tried to substitute the IP address for the URL name it didn't work.

I have removed the rewrite and will suffer the bandwidth loss until I can come up with a better way.

I guess we can't have the best of all worlds.:)

Hmmm... "Stats"...

When you examined your referrer stats, what did you see?

In order to know if the referrer was blocked or not, you will need to see your server's response code for each hotlinked image request. If it is always a 200-OK, then those hotlinking referrers are not being blocked, which would indicate some systemic problem -- for some reason your code is not executing. However, if you see a 403-Forbidden response, then the access was blocked and the image was not transferred. But in either case, the access will be logged. In most cases, the server response is not available in 'stats' -- You have to look at the raw server access logs. Stats are useful for an overall view, but mostly useless for 'debugging' -- You have to look at the raw access and error logs.

In order to prevent blocking of blank referrers, which makes your site look broken to those visitors behind caching proxies, the single line

RewriteCond %{HTTP_REFERER} .

added ahead of your other RewriteConds will fix that. It will allow a few more hotlinks (because it will allow visitors who block the HTTP_REFERER header, regardless of where they are referred from), but will avoid making your site look broken to visitors behind caching proxy (who most often won't even know they're behind a proxy).

Access control by referrer is not 100% reliable. Some visitors to the hotlinking site may see your images if their browser doesn't send a referrer header to your server. But many won't see your images, and they'll pester the Webmaster of the hotlinking site, saying his images are broken. In most cases, this is sufficient to get him to remove the hot-link. And if not, you still block most of his visitors from loading your image.

I'm hoping that you haven't dug into the response code yet. If you have, and if it's 200-OK for all hotlink requests, then we need to find out why. However, if you are indeed getting 403 responses for most of those hotlinked accesses, then this is simply a matter of expectations vs. reality.

Jim