Image bandwidth theft using mod_rewrite directives

Ok, what have I done wrong this time? :frowning: To try and prevent image bandwidth theft, I have included the following lines to my .htaccess file: [each RewriteCond is on one line]

RewriteEngine on
RewriteCond %{HTTP_REFERER}!^$
RewriteCond %{HTTP_REFERER}!^ [NC]
RewriteCond %{HTTP_REFERER}!^ [NC]
RewriteRule [^/]+.(gif|jpg|bmp)$ - [F,NC]

The code seems to work only if people are trying to directly link to, but it won’t work if people link to

Changing the code to the following does not make a difference: [each RewriteCond is on one line]

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www.)?$ [NC]
RewriteRule .
.(gif|jpg|bmp)$ - [F,NC]

Any help/advice would be greatly appreciated.

  • marsbar

I’m just a beginner with regex, but I’d say that you’ve forgotten to escape the period in “” in both your blocks, and in “+.(gif” in the first block.

TorbenGB . . . Get a free WebID

You can change the second and third line with:

RewriteCond %{HTTP_REFERER} !^http://(..)?$ [NC]

I use some \ to escape chars and this may be a big difference in some cases.

Many thanks for responding, Torben and GFv.

Unfortuantely, the old problem will not go away (i.e. rules are only effective against direct links to , but not Worse still, RewriteCond %{HTTP_REFERER} !^$ seems to have caused access problem for some people. Today I received some reports from visitors saying that they had not been able to access my site due to an internal server error (HTTP error 500).

I have also tried the example shown in this KB article:
While the 500 error is gone, I am still left with the original problem. :frowning:

  • marsbar

Look in your error.log and find out what the actual errors were. mod_rewrite has pretty decent logging.


Thank you for responding, Nate.

The actual error: RewriteCond: bad argument line ‘%{HTTP_REFERER}!^$’

Site access has been restored; however, a new problem cropped up (on top of the original problem described in my first post) earlier, leaving me with no choice but to remove the entire block of anti-bandwidth theft code. The code was also preventing my own domain from linking to (my own) images.

I have visited a number of other sites and tried out their code and instructions (all are basically the same), yet all with the same results: I must be doing something wrong. Arrgh!

Help! :frowning:

  • marsbar

The following rules, courtesy of Reid Stott of, seem to work for me:

RewriteEngine On
RewriteCond %{REQUEST_FILENAME} .*jpg$|.*gif$|.png$ [NC]
RewriteCond %{HTTP_REFERER} ^[http|nttp].
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} ! [NC]
RewriteRule .(gif|jpg|png)$ - [F,NC,L]