1. Home
  2. Forums Index
  3. Server Side / Apache Web Server 3:01 pm May 1, 2026

Forum Moderators: phranque

Message Too Old, No Replies

Hotlink protection and blank referers

         

davebach

7:04 am on Jan 28, 2004 (gmt 0)

10+ Year Member



I was recently informed by a visitor to my site that "everything was all screwed up." After some questions and then some research here, I found out about the Win IE 6 issue that has to do with some hotlink protection code not working if the trailing slash is missing when the user types in the URL.

I've always simply relied on the CPanel hotlink code that is written for me which is this:

RewriteEngine on
RewriteCond %{HTTP_REFERER}!^$
RewriteCond %{HTTP_REFERER}!^http://mysite.com/.*$ [NC]
RewriteCond %{HTTP_REFERER}!^http://www.mysite.com/.*$ [NC]
RewriteRule .*\.(jpg夙if如ng在mp)$ http://www.mysite.com/hotlink.jpe [R,NC]

So I am now using this instead:

RewriteEngine on
RewriteCond %{HTTP_REFERER}!^$
RewriteCond %{HTTP_REFERER}!^http://(www\.)?mysite.com(/)?.*$ [NC]
RewriteRule .*\.(jpg夙if如ng在mp)$ http://www.mysite.com/hotlink.jpe [R,NC]

I tested for hotlink protection here: http://www.htmlbasix.com/disablehotlinking.shtml AND tested it in Win IE 6 (leaving the slash off) and it is working, but what is this doing for blank referers? It's allowing them, right? Can I test from a blank referer somewhere? I hate to ASSUME it's working because I ASSUMED CPanel wrote good code and it screwed me for a while.

Thanks,
Dave

[edited by: jdMorgan at 7:46 pm (utc) on Jan. 28, 2004]
[edit reason] De-linked [/edit]

jdMorgan

7:46 pm on Jan 28, 2004 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



Dave,

Welcome to WebmasterWorld [webmasterworld.com]!

You can easily get a blank referer - Just type the image URL into your browser address bar directly.
Another way to do it is to do a right-click-Save-image-as on the image while viewing the page on your site.

A simplified version of your current code which would accomplish exactly the same thing would be: 


RewriteEngine on 
RewriteCond %{HTTP_REFERER} .
RewriteCond %{HTTP_REFERER} !^http://(www\.)?mysite\.com [NC] 
RewriteRule \.(jpg夙if如ng在mp)$ http://www.mysite.com/hotlink.jpe [R,NC]

There's no reason to end a pattern with ".*" or ".*$" or to begin one with ".*" or "^.*" - these are redundant regex sequences, and don't do anything. In the case of the RewritCond checking for the correct referring domain, the original code caused the problem by requiring the referrer to end with slash. So, since you don't care whether it ends with slash, and you don't care what subdirectory of the domain is the referrer, just leave all that off, and mod_rewrite won't test it as part of the match.

Ref: Regular Expressions tutorial [etext.lib.virginia.edu]

Jim

davebach

9:36 pm on Jan 28, 2004 (gmt 0)

10+ Year Member



If I also want to allow various unaccounted-for subdomains, can it read:

RewriteCond %{HTTP_REFERER} !^http://(.*\.)?mysite\.com [NC]

Is that the correct syntax?
Dave

jdMorgan

3:33 am on Jan 29, 2004 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



Yes, that would work, but this would make the regex-parsing slightly more efficient (faster): 

RewriteCond %{HTTP_REFERER} !^http://([^.]+\.)?mysite\.com [NC]

Jim
 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

  1. Home
  2. Forums Index
  3. Server Side / Apache Web Server 3:01 pm May 1, 2026