Prevent Hotlinking on HTTPS


#1

The https://help.dreamhost.com/hc/en-us/articles/216363197-How-do-I-prevent-image-hotlinking- has the following but what now a day all the site are https, hence how do we do it…?

RewriteEngine On
RewriteCond %{HTTP_REFERER} ^http://(www\.)?example\.com(/.*)*$ [NC,OR]
RewriteRule \.(jpeg|JPEG|jpe|JPE|jpg|JPG|gif|GIF|png|PNG|mng|MNG)$ - [F]

#2

Either change the http to https or remove the protocol from the code.

However, that code does not account for all the visitors who do not come with a referrer. That’s a lot of users nowadays.

The anti-Hotlinking code will backfire on you. There will be a lot of visitors blocked from viewing images on your site. Its not a viable solution. Just let them hotlink. You’re not paying for bandwidth.


#3

Dittos to what @keyplyr said, but if you still want to prevent the hotlinks…

Put this after your RewriteCond line to handle what he said about visitors without a referer.

RewriteCond %{HTTP_REFERER} !^$

In your Cond line, to allow for either protocol, change from “http:” to “http(s?):”.
Or you can use common code to rewrite http to httpS before you get to this condition (be sure not to use the L option to force the redirect).


#4

Well, you can, but it probably isn’t worth the trouble. You’d have to set up a very-short-lived database of IPs that have requested a page within the last 60 seconds or 5 minutes or whatever is appropriate, and allow only those IPs to receive images associated with any given page. (No, I have no idea how to do this. But I think it’s what you would have to do.)

But wait. You said that your own site isn’t https. So where are these referer-less requests coming from? Seems like, by definition, they’re not coming from your own site. So just block them.

Edit: In recent months, I’ve seen a big upsurge in referer-less image requests from mobiles, particularly Androids. So far I haven’t figured out how to verify it, but I’m pretty sure they’re not viewing the real, full-size image. I think it’s coming from image search. My solution, based on my specific individual circumstances*: ignore them.
https://subwaysurfers.vip/ https://psiphon.vip/ https://hillclimbracing.vip/