Welcome to WebmasterWorld Guest from

Forum Moderators: Ocean10000 & phranque

Message Too Old, No Replies

.htaccess file and firewalls

I have (had) a working .htaccess file until I upgraded my firewall...



7:40 pm on Jan 8, 2004 (gmt 0)

Inactive Member
Account Expired


Now, I am wondering if the .htaccess file is not configured correctly or if it is worthless with a firewall.

I had the .htaccess file in my images directory within my root directory. Worked fine. I noticed today, after upgrading my zone alarm, even when I test images out on html basix's hotlinking test, I see my images as they are intended. Before, I saw the substituted anti-hotlinking banner.

I haven't done anything in my file manager today, so the file is still there.

My questions:

Do firewalls override .htaccess file commands? In other words, if someone who had a firewall wanted to hotlink from my files, does that mean that their firewall would ignore the .htaccess file command? Wouldn't that make the file rather worthless? (I am using the file to protect images on my website and from a forum).

If that is so, how can I modify the code?

8:43 pm on Jan 8, 2004 (gmt 0)

Senior Member

WebmasterWorld Senior Member jdmorgan is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Mar 31, 2002
votes: 0


Welcome to WebmasterWorld [webmasterworld.com]!

No, firewalls can't override .htaccess commands. .htaccess is part of the server process, and can't be affected by anything outside that process - short of a system crash.

It is more likely that your new firewall is now blocking HTTP_REFERER, and that your .htaccess hotlink blocker has an exclusion to allow images to be viewed if the request comes without a referrer (and this is how it should be to avoid massive problems).

Take a look at your ZA config, and see if it is set to block HTTP_REFERER headers. If so, turn off that blocking.

HTTP_REFERER is intrinsically unreliable, and you have simply run into one of the cases where it can't be relied upon. Because many firewalls and caching proxies block HTTP_REFERER, you really can't block blank referrers on a public site. Inside a corporate network, where you have full control over all client configurations, you can do it, but blocking blank referrers on a public site leads to many, many visitors thinking your site is broken. So it is a painful tradeoff between blocking hotlinkers, and not blocking legitimate visitors who just happen to be connecting through a proxy (corporate, ISP, etc.) that blocks referrrers.

Another thing to remember is that you must flsuh your cache(s) between tests; otherwise the images will be served from your local cache.