.htaccess to block external use of images

Forum Moderators: phranque

Message Too Old, No Replies

.htaccess to block external use of images

lobo235

5:52 pm on Aug 5, 2005 (gmt 0)

I would like to block access to any external linking of my images. I have a few that are dynamically generated using PHP's gd2 library and I don't want my server load to jump up because people are using them. If I use the following in my .htaccess file, will users who block the http_referer from being sent not see the images?

RewriteEngine on
RewriteCond %{HTTP_REFERER}!^$
RewriteCond %{HTTP_REFERER}!^http://(www\.)?example.com/.*$ [NC]
RewriteRule .*\.(jpg¦jpeg¦gif¦png¦bmp)$ - [F]

jdMorgan

5:57 pm on Aug 5, 2005 (gmt 0)

Why not test it and find out? :)


RewriteEngine on
RewriteCond %{HTTP_REFERER} .
RewriteCond %{HTTP_REFERER} !^http://(www\.)?example\.com/ [NC]
RewriteRule \.(jpe?g¦gif¦png¦bmp)$ - [F]

I removed some redundant regex tokens, and made a couple more efficiency tweaks, but what you had should work... With the caveat that requests without referrers will get through, and you must allow blank referrers so that people visiting your site from behind corporate and ISP (like AOL) proxies won't think your site is broken.

Flush your browser cache when testing... Change all broken pipes in code posted on WebmasterWorld to solid pipes before use; posting here modifies them.

Jim

lobo235

7:23 pm on Aug 5, 2005 (gmt 0)

Great, I just did some testing and as you said, it works. What part of this allows the blank http_referer to get through? I don't understand regex that well or the rewrite engine all that well either.

jdMorgan

7:34 pm on Aug 5, 2005 (gmt 0)

The first RewriteCond allows blank referrers. If you delete that line, your site won't work for users of corporate or ISP caching proxies -- In effect, you'll block all of AOL, for example. These users will see broken image icons and assume that your site is broken or down. Overwhelmingly, they will not be aware of why this is happening.

Access control using HTTP_REFERER has this limitation. It's easy, and fairly effecitve, but you must allow blank referrers (or plan on hiring a full-time help desk and losing 15% of your legitimate visitors/sales/etc.) The 'cure' of blocking blank referrers is worse than the hotlinking 'disease' in most cases.

You can implement more sophisticated solutions using cookies and an image-serving script, or cookies and .htaccess restrictions. You can also cleverly rename your images once an hour/day/week, and use .htaccess to provide the correct image based on time. However, unless you are selling copyrighted images online, it's usually not worth the bother to develop and test these more-effective solutions.

There are hundreds of threads here about hotlinking (example [google.com]), and these issues are more fully discussed in many of them.

Jim

lobo235

12:18 am on Aug 9, 2005 (gmt 0)

With IE I started running into a problem with the blank referer. For some reason it seemed to be working with FireFox though. I changed the htaccess file to the following to fix the problem:

RewriteEngine on
RewriteCond %{HTTP_REFERER} \.$
RewriteCond %{HTTP_REFERER}!^http://(www\.)?example\.com/ [NC]
RewriteRule \.(jpe?g¦gif¦png¦bmp)$ - [F]

Do you think this will work all the time now?

jdMorgan

12:32 am on Aug 9, 2005 (gmt 0)

Nope,
That will only work now for referrers that end in a literal "." -- Not many.

I posted working code above. If it doesn't work, it's because you have a cached copy of the image. Flush your browser cache between tests.

Jim

lobo235

1:15 am on Aug 9, 2005 (gmt 0)

I just figured it out. The trailing slash after example.com was causing problems. I removed it and now it's working using the code you have above.