Htaccess, rewrite, image leeching

Can you tell me why this does not stop image leeching from my site? Well, erm, more directly, what should it be to ACTUALLY stop hotlinking :slight_smile:

[code]RewriteCond %{HTTP_REFERER} !^$

site(s) allowed to hotlink

RewriteCond %{HTTP_REFERER} !^$ [NC]
RewriteCond %{HTTP_REFERER} !^
$ [NC]

if not allowed then …

RewriteRule .*.(gif|jpg|jpeg|bmp)$ - [F,NC]
[/code]I note that the hotlinked images all have .JPG (upper case) extensions, but I thought the ‘NC’ would cover that situation.

UPDATE: I found the htaccess section of the panel and the hotlinking setup. I was horrified that it simply overwrote my existing htaccess rather than appending to it - I’ll keep that in mind when I set up other domains that use htaccess for other purposes!

Anyway, here is what the panel wrote (more or less)

RewriteEngine on RewriteCond %{HTTP_REFERER} !^$ RewriteCond %{HTTP_REFERER} !^https?://(www\.)?*$ [NC] RewriteRule \.(gif|jpg|jpeg|png|mp3|mpg|avi|mov)$ - [F,NC]

Most of my leeching was due to just a few domains. I choose to keep an eye on my stats, and restrict just the sites that hotlink the most. This still allows me to hotlink from other sites when I want to. It is most useful for things like forums, where users aren’t allowed to upload files to the server. Here is the code to restrict specific domains, in case you find it useful…

RewriteEngine On
RewriteCond %{HTTP_REFERER} ^(.+) [NC,OR]
RewriteCond %{HTTP_REFERER} ^(.+) [NC,OR]
RewriteRule .(jpe?g|gif|png|wmv|bmp)$ - [F]

Thanks pangea33. It was only by looking at the stats I found out my old attempt wasn’t working. So your point is well taken. Thanks for the sample, too.

Oops. I’m sure you figured this out, but the third line is wrong. I chopped some out, and forgot to change it.

This line:
RewriteCond %{HTTP_REFERER} ^(.+) [NC,OR]

Should be:
RewriteCond %{HTTP_REFERER} ^(.+) [NC]

The DreamHost wiki has a comprehensive article about using mod_rewrite to cope with hotlinking, with several solutions available.

Simon Jessey
Keystone Websites (business site) | si-blog (personal site with affiliate links)

I should point out that although the above methods (including those on the wiki) do reduce hotlinking, they will not outright prevent it.

The problem with pretty much all widely-usable anti-hotlinking code is that it relies upon the http referrer being passed. Just take a look at your own examples to see what I mean – without that header they simply cannot function.

Now, where the issue lies is with referrers not being a mandatory part of the web browsing experience. That is, users can very easily disable it if they choose to do so (in the case of Firefox). In addition, certain firewalls such as Norton’s block all referrals by default, meaning that they too will not be affected by your blocking.

This results in two things:

  1. If you only let people view your images from a certain referral (eg: your own site), you will find that those not passing referrals will not be able to see your images. Since this accounts for quite a lot of people, it is not a good idea for any website which hopes to attract a decently sized crowd.

  2. If you only block all referrals except your own and no referral at all (that is, the images will only show if there is either no referral – the image is being directly accessed – or it’s being accessed from your own domain), you will only be preventing a percentage from hotlinking.

So, bearing that in mind, I personally am not aware of a bulletproof way of blocking hotlinking to images without compromising your ability to use them yourself. Perhaps using PHPto dynamically generate the URLs and make your site automatically change its URLs in unison would work, but that’s far above me.

I agee with everything Ryan said.

There is no “bulletproof” methods. HTTP_REFERER is not a required environment variable which is where your “bulletproof” methods will faulter. Most sites will just block any invalid properly formatted HTTP_REFERER and let the others through. This generally is a good enough method. The tricky ones that know about altering the HTTP_REFERER themselves will also know that even though they can get away it, OTHERS will not see that image they’ve linked.

So all in all, checking HTTP_REFERER isn’t bulletproof, but it is good enough.