Image Hotlink Blocker Tool .htaccess Improvement

Forum Moderators: open

Message Too Old, No Replies

Image Hotlink Blocker Tool .htaccess Improvement

physics

11:38 pm on Jan 13, 2015 (gmt 0)

I was just having a look at

[freetools.webmasterworld.com...]

It generated .htaccess code like


RewriteEngine On
RewriteCond %{HTTP_REFERER} !^http://(.+\.)?127\.0\.0\.1/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://(.+\.)?example\.com/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^$
RewriteRule \.(css|gif|jpg|jpeg|js|mng|mp3|mpg|mpeg|pdf|png)$ - [F]

I thought it would probably be good to change http:// to https?:// so that it would allow images to be accessed by non-hotlinkers on either the http or https version of the domain. So, it would look like:


RewriteEngine On
RewriteCond %{HTTP_REFERER} !^https?://(.+\.)?127\.0\.0\.1/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^https?://(.+\.)?example\.com/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^$
RewriteRule \.(css|gif|jpg|jpeg|js|mng|mp3|mpg|mpeg|pdf|png)$ - [F]

I'm not able to test this right now but thought I would throw it out there for discussion.

lucy24

1:31 am on Jan 14, 2015 (gmt 0)

You don't need the https?:// part at all. For most situations it would be enough to say

!example\.com/

without anchor. It's extremely unlikely that an unwanted visitor would hotlink with a referer such as "badexample.com". If necessary, \bexample\.com should do.

Do not say [NC] in any rule that names your own site. A referer that claims to come from a wrongly cased ExAmPlE.com is fake anyway.

The final .*$ is completely uneccessary.

\.(css|gif|jpg|jpeg|js|mng|mp3|mpg|mpeg|pdf|png)$

which is to say, ahem,

\.(css|gif|jpe?g|js|[mp]ng|mp(3|e?g)|pdf)$

But list only those forms that your individual site really uses.

:: detour to look up .mng ::

Would a form like 127.0.0.1 ever actually occur in a referer received on your live site?