How to only allow access via hotlink

Forum Moderators: phranque

Message Too Old, No Replies

How to only allow access via hotlink

.htaccess to allow images to be viewed only through a hotlink

MBrearley

2:05 pm on Apr 7, 2004 (gmt 0)

How can I use the .htaccess file to block images from being accessed unless they are hotlinked from a specific web site (i.e. www.mydomain.com). The images exist on www.theotherdomain.com and I don't want to allow anyone to view the images by entering www.theotherdomain.com/imagesfolder/image.jpg. The only way I want the server to serve up the images is if they are refered to by mydomain.com or www.mydomain.com.

Thanks for any help.

--
Mike

jdMorgan

3:15 pm on Apr 7, 2004 (gmt 0)

Mike,

Welcome to WebmasterWorld [webmasterworld.com]!

Use any one of the many examples [google.com] found here for anti-hotlinking .htaccess code, and modify it to specify the "allowed" referrer. You will also need to allow blank referrers, since many of your visitors will come from behind firewalls and proxy servers that block the referrer.

Jim

MBrearley

3:35 pm on Apr 7, 2004 (gmt 0)

I'm completely new to .htaccess (just created my first few yesterday for password protection). How do I specify to 'Allow' a referrer. Also, I do not want someone to be able to open an image from anywhere without it being viewed through an html page. Is that possible?

What I mean by that is, I don't want someone to put in [mydomain.com...] and be able to see the image.

This is what I have now...

RewriteEngine On
RewriteCond %{HTTP_REFERER}!^http://(www\.)?mydomain\.com [NC]
RewriteRule \.(gif¦jpg)$ - [NC,F]

Thanks,
Mike

MBrearley

4:23 pm on Apr 7, 2004 (gmt 0)

OK, using this seems to work:

SetEnvIfNoCase Referer "^http://(www\.)?mydomain\.com/" local_ref=1
<FilesMatch "\.(gif¦jpg)">
Order Allow,Deny
Allow from env=local_ref
</FilesMatch>

Is there better code, or is this OK?

Thanks,
Mike

jdMorgan

8:26 pm on Apr 7, 2004 (gmt 0)

Either one of those coding approaches should work if your host allows/supports them. However, as I stated, you will need to allow for blank referrers. You will get many visitors who do not provide a referrer, and there is nothing they can do about it -- In other words, they are not all bad guys trying to hotlink or streal your images, they are simply accessing the 'net from behind a firewall or ISP proxy server that blocks some or all referrers.

AOL does this a lot. The Norton Internet Security package also blocks referrers, but I'm not sure if it does so by default, or if the user has to turn it on. However, I doubt you want to spend all day on the phone debugging these issues with your users and their ISPs, so the simple answer is to allow for blank referrers using "^$" as the regular expression for a blank referrer. This does indeed open a "hole" in your image protection, but that is offset by the sometimes-huge problems you can have if you block authorized users who do not provide a referrer -- We've got several old threads here from Webmasters who experienced that "Help desk" nightmare and needed help to fix their code.

Jim

MBrearley

8:33 pm on Apr 7, 2004 (gmt 0)

Can you explain how I allow for a blank referral in this code? I have no idea where I need to add the characters that you mentioned.

SetEnvIfNoCase Referer "^http://(www\.)?faerybug\.com/" local_ref=1
<FilesMatch "\.(gif¦jpg)">
Order Allow,Deny
Allow from env=local_ref
</FilesMatch>

jdMorgan

10:04 pm on Apr 7, 2004 (gmt 0)

Add this line before or after the SetEnvIfNoCase line:


SetEnvIf Referer "^$" local_ref=1

Jim