Welcome to WebmasterWorld Guest from

Forum Moderators: open

Message Too Old, No Replies

Image Hotlink Blocker Tool .htaccess Improvement

11:38 pm on Jan 13, 2015 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Feb 27, 2001
posts: 2548
votes: 0

I was just having a look at


It generated .htaccess code like

RewriteEngine On
RewriteCond %{HTTP_REFERER} !^http://(.+\.)?127\.0\.0\.1/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://(.+\.)?example\.com/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^$
RewriteRule \.(css|gif|jpg|jpeg|js|mng|mp3|mpg|mpeg|pdf|png)$ - [F]

I thought it would probably be good to change http:// to https?:// so that it would allow images to be accessed by non-hotlinkers on either the http or https version of the domain. So, it would look like:

RewriteEngine On
RewriteCond %{HTTP_REFERER} !^https?://(.+\.)?127\.0\.0\.1/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^https?://(.+\.)?example\.com/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^$
RewriteRule \.(css|gif|jpg|jpeg|js|mng|mp3|mpg|mpeg|pdf|png)$ - [F]

I'm not able to test this right now but thought I would throw it out there for discussion.
1:31 am on Jan 14, 2015 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Apr 9, 2011
votes: 876

You don't need the https?:// part at all. For most situations it would be enough to say


without anchor. It's extremely unlikely that an unwanted visitor would hotlink with a referer such as "badexample.com". If necessary, \bexample\.com should do.

Do not say [NC] in any rule that names your own site. A referer that claims to come from a wrongly cased ExAmPlE.com is fake anyway.

The final .*$ is completely uneccessary.


which is to say, ahem,


But list only those forms that your individual site really uses.

:: detour to look up .mng ::

Would a form like ever actually occur in a referer received on your live site?