Jackie,

Welcome to WebmasterWorld!

A bit of advice, which I hope you will take in the friendly spirit in which it is offered:

First, server-side code like this is powerful; Don't install any code on your server that you don't fully understand.

Second, only you can test end evaluate the code to be sure it meets your needs, because every Web site is different. This stuff is definitely not plug-and-go. With that in mind, see point #1.

That said, the code you have posted includes a comment which no longer applies, as it will block images linked from any site except your own, example.com, and example2.com, based on the HTTP_REFERER sent in the client's HTTP request. Some clients will not send a referrer, and any requests which pass through a caching proxy (such as are used in many corporate and ISP networks) will also not have a referrer. In order to allow for this, the first RewriteCond in the code allows for blank referrers (The alternative is that you'd block all AOL users from fetching these files, for example).

Major search engines won't provide a referer, so they won't be blocked from spidering your image, media, and css files. But if you wish to have images displayed when people view the search engines' cached copy of your site, then you will have to add allowances for that. In addition, the "view full size" function on search engines which offer image search won't work for your site with this code in place.

Finally, the code is bloated and has some minor errors in it. If you want to use it with the features it has now, a more efficient way to write it would be:

RewriteEngine on
RewriteCond %{HTTP_REFERER} .
RewriteCond %{HTTP_REFERER} !^http://(www\.)?mysite\.(com¦net) [NC]
RewriteCond %{HTTP_REFERER} !^http://(www\.)?example\.com [NC]
RewriteCond %{HTTP_REFERER} !^http://(www\.)?example2\.com [NC]
RewriteRule \.(gif¦jpe?g¦bmp¦mid¦css)$ - [F,NC]

This code says, "If the HTTP_REFERER is non-blank, and the HTTP_REFERER is not my site or either of the other two allowed sites, then if the request is for an image, midi, or CSS file, respond with a 403-Forbidden response."

For more information on mod_rewrite, see the documentation cited in our forum charter [webmasterworld.com].

Also a search of WebmasterWorld for "hotlinking htaccess [google.com]" will turn up tons of discussion you might find useful.

Once you have defined your sites' specific needs and have come up with some code to implement it, we can offer suggestions for improvement or answer specific questions about your test results.

To avoid server errors, change all broken pipe "¦" characters above to solid pipe characters (usually Shift-\) before use. Posting on this forum modifies those characters.

Jim

Hi Jim,
I have searched the forum prior to posting. I fell into the site which researching the topic on Google.

I am on informational overload. The amended code you posted will work great for my purposes if the images and logo I link to in my site autoresponder will still show.

(Is there a way to exclude a folder in the code?)

My husband is a photographer and the balance of image display vs hotlinking is a tricky one.

Thanks,
Jackie

> The amended code you posted will work great for my purposes if the images and logo I link to in my site autoresponder will still show.

This is the kind of thing you'll have to test. Due to unforeseen circumstances, I can't say whether it will work for your specific needs or not.

> Is there a way to exclude a folder in the code?

Yes, just add another condition to the ruleset:

RewriteCond %{REQUEST_URI} !^/path_to_excluded_folder/

The Forbidden response will then be suppressed for that folder.

> My husband is a photographer and the balance of image display vs hotlinking is a tricky one.

In other discussions, various methods of handling this have been discussed. If the photos are "the product" for sale on your site, then one method which may work for you is to watermark [google.com] all proprietary images on your site with his name (or the studio/company name, as applicable). This is done by adding "Copyright <date> <Copyright_holder_name>" to each image using Photoshop or similar. Despite your aesthetic sensibilities, the copyright notice should be bigger and uglier than "pure art" allows -- You don't want someone to be able to simply crop the shot to remove the copyright notice, and still have a well-composed, presentable image after doing so. So, a common approach is to use a semi-transparent "banner" across more-or-less the entire image.

As another non-Apache comment: Be sure that the images on your site are greatly-reduced in resolution. If you keep their filesize below 32kB, then they can't be succesfully printed at 8x10" size without looking terribly "grainy". The trick is to make them look good at small size on the screen, and to look horrible if printed in large format.

Another thing you can do is to have Apache declare these images as non-cacheable, so they can't be saved in the visitor's browser. That's done with Apache mod_expires and mod_headers.

For the short-term, I can understand your information overload, and I'm sure you just want to get something working. But try searching the Web for other sites that offer images for sale, and take a look at the techniques they use. We also have a Site Graphics and Multimedia Design forum [webmasterworld.com] where you might want to discuss these issues with other artists.

Jim