Welcome to WebmasterWorld Guest from 3.85.245.126

Forum Moderators: open

Message Too Old, No Replies

Image Hotlink Blocker Tool .htaccess Improvement

     
11:38 pm on Jan 13, 2015 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Feb 27, 2001
posts: 2548
votes: 0


I was just having a look at

[freetools.webmasterworld.com...]

It generated .htaccess code like


RewriteEngine On
RewriteCond %{HTTP_REFERER} !^http://(.+\.)?127\.0\.0\.1/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://(.+\.)?example\.com/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^$
RewriteRule \.(css|gif|jpg|jpeg|js|mng|mp3|mpg|mpeg|pdf|png)$ - [F]


I thought it would probably be good to change http:// to https?:// so that it would allow images to be accessed by non-hotlinkers on either the http or https version of the domain. So, it would look like:


RewriteEngine On
RewriteCond %{HTTP_REFERER} !^https?://(.+\.)?127\.0\.0\.1/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^https?://(.+\.)?example\.com/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^$
RewriteRule \.(css|gif|jpg|jpeg|js|mng|mp3|mpg|mpeg|pdf|png)$ - [F]


I'm not able to test this right now but thought I would throw it out there for discussion.
1:31 am on Jan 14, 2015 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Apr 9, 2011
posts:15892
votes: 876


You don't need the https?:// part at all. For most situations it would be enough to say

!example\.com/


without anchor. It's extremely unlikely that an unwanted visitor would hotlink with a referer such as "badexample.com". If necessary, \bexample\.com should do.

Do not say [NC] in any rule that names your own site. A referer that claims to come from a wrongly cased ExAmPlE.com is fake anyway.

The final .*$ is completely uneccessary.

\.(css|gif|jpg|jpeg|js|mng|mp3|mpg|mpeg|pdf|png)$

which is to say, ahem,

\.(css|gif|jpe?g|js|[mp]ng|mp(3|e?g)|pdf)$


But list only those forms that your individual site really uses.

:: detour to look up .mng ::

Would a form like 127.0.0.1 ever actually occur in a referer received on your live site?