Serve Image From Protected Folder

software development


I want to serve an image on to a .htm page from a .htaccess protected folder. Someone mentioned to me that they thought it could be done with Perl, but had no idea about where I might find a script. I just want to stop people from using a direct url to the image in the folder… and with .htaccess, I am unable to use the image on a web page. Any help would be much appreciated!


If .htaccess isn’t getting the job done for you, it is possible to set up a script to serve up images subject to whatever sorts of access control you want. It can be done in any language and the technique is conceptually pretty simple.

The idea goes something like this:

  1. Store your images outside of your document root. This will prevent direct access to them.
  2. Create a script that takes the name of the image to serve as an input parameter.
  3. Return a proper Content-Type header from your script.
  4. Open the file using the script and print its contents to standard output.

Now, there are a few caveats about this technique. First, be sure to validate the file name because it will be possible for your script to print back any file in the filesystem, which is a potential security risk. Second, if your images are large, you may need to be careful about not using too much memory if you try to read the entire file in one gulp and print it out all at once.


Many Thanks Alpicola for your reply… as it was much appreciated! I had thought of keeping my images outside my document root folder… but when I contacted DH about doing that (as I couldn’t get my script to serve the image) I was told it’s not allowed on DH because of security issues. Maybe something with SSI… I’m not sure? I’m very Green with all of the scripting issues… But I think with time I will run into a usable script… Thanks Again For Taking The Time To Answer My Post…


Is there a specific reason you can’t use a rewrite Cond + Rule?

Maximum Cash Discount on any plan with MAXCASH


Many Thanks For Your Thoughts sXi. That is in fact an idea. I had this piece of code below:

SetEnvIf Referer “^” local_referal

Allow browsers that do not send Referer info

SetEnvIf Referer “^$” local_referal
<Directory /web/images>
Order Deny,Allow
Deny from all
Allow from env=local_referal

Is this the type of thing you meant? Like I mentioned earlier… I am a novice when it comes to understanding programming… But I think that is what you are saying. The only thing with the rewrite… it seemed to still serve me the image if I used the direct url to the folder/image. Maybe I am just using it in the wrong way? I made a .htaccess file, and then chmod it to 644 once it was uploaded… and since I’m not sure about programming as a whole… I’m sure there is something I am missing. Thanks Again For Your Reply…


I employ a redirect at another host. This is what I have in an .htaccess file at root over there:

RewriteEngine on

RewriteCond %{HTTP_REFERER} !^$ [NC]
RewriteCond %{HTTP_REFERER} !^$ [NC]
RewriteCond %{HTTP_REFERER} !^
$ [NC]
RewriteCond %{HTTP_REFERER} !^$ [NC]
RewriteCond %{HTTP_REFERER} !^$ [NC]
RewriteCond %{HTTP_REFERER} !^$ [NC]
RewriteCond %{HTTP_REFERER} !^
$ [NC]
RewriteCond %{HTTP_REFERER} !^$ [NC]
RewriteCond %{HTTP_REFERER} !^$ [NC]
RewriteCond %{HTTP_REFERER} !^$ [NC]
RewriteCond %{HTTP_REFERER} !^
$ [NC]
RewriteCond %{HTTP_REFERER} !^$ [NC]

RewriteRule .*.(jpg|jpeg|gif|png|bmp|zip|rar|exe|txt)$ [R,NC]

As you can probably follow there is a main site, a forum, and a subdomain. In the above case, if anything listed in the RewriteRule is hotlinked from an outside site (or typed directly into a browser) the client is redirected to the forum.

Maximum Cash Discount on any plan with MAXCASH


You Are Very Kind Indeed sXi…

I really appreciate you taking the time to help me… I really do. That piece of code is very impressive indeed… Thanks For Sharing…

I do have two questions… If I may Ask?

1.) When the code is put into a .htaccess file… one must chmod it to 644, correct?

2.) Would this .htaccess file go into the root of my domain to protect the “whole domain”… or would the .htaccess file go in the “specific folder” where the images are contained that I don’t want direct url access to?

Thanks Again!

  1. Yes, in the interests of security, chmod 644 is best.

  2. That particular .htaccess is in the root of the domain as it’s there to protect the entire domain from hotlinking, but you can use one in any folder to have it protect just that folder (and all subfolders within it).

The main thing to remember is that once it’s passed some rules to Apache, those rules apply to each and every folder deeper than the .htaccess location.

Maximum Cash Discount on any plan with MAXCASH


Thanks Again sXi…

Your kindness is much appreciated. I will read the link that you sent along… at the risk of testing your good nature… I wonder if I might ask one last rambling question:

Just so I am clear… when I make this .htaccess file and put it in the root of my domain… .I then chmod it to 644… and that will stop “hot linking” and direct url visits (url added to the browser) to my images. So with all that… my question really is: Will this also stop bots (eg) Google bot images from being able to access the images directly through a url as well?

Many Thanks In Advance For Your Patience!


To keep bots from indexing your [color=#CC0000]images[/color] folder you could add a robots.txt in your domain’s folder:

User-agent: *
Disallow: [color=#CC0000]/images/[/color]

You can add any number of folders by adding more lines.

User-agent: *
Disallow: /folder1/
Disallow: /folder2/
Disallow: /folder3/

Maximum Cash Discount on any plan with MAXCASH


You Have Been Such A Help sXi…

I can’t tell you how much I appreciate it!

People don’t like to help much these days… but you jumped right in…

Thanks Indeed For Your Kindness!


No worries mate.

The regulars here are always willing to help. If you have any problems there’s bound to be someone here that’ll help solve them :wink:

Maximum Cash Discount on any plan with MAXCASH