Thursday 10 May 2012

Avoid images hotlinking

PHPYou must know about it, on the Internet, images are used as if they were free of rights and even often directly from the creator website. A site can display an image which is hosted on your server and use your bandwidth instead of its own. :-(

If this method can be acceptable when the steal comes from the user of a forum, it's intolerable when that comes from the writer of an important site, sometimes making much more traffic than yours and being able to put your server down!


you can block with a .htaccess files some users, some IP adresses, and even some referrers, what we need here. This is made with the module Rewrite, you server must have the URL rewriting activated.

You will need:

  • a very light image, indicating that you refuse the use of your band-width (example),
  • a PHP file, more severe, returning an 401 error code, which will require a password to all of the visitors of your robber to view the image (example),
  • or both to "punish" more or less the different referrers.


Here's an example with the two situations, with an image of interdiction for forums and a malicious error message for the 2 other examples:

# Against hotlinking
RewriteCond %{HTTP_REFERER} ^http://.+/viewtopic.php [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://forum\.example\.net/ [NC]
RewriteRule .*\.(jpeg|png)$ images/forbidden.png
RewriteCond %{HTTP_REFERER} ^http://blog\.example\.com/ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://www\.example\.org/ [NC]
RewriteRule .*\.(jpeg|png)$ images/forbidden.php


Addresses are regular expressions. Don't forget the OR to each line except the last!

Now you only have to locate, in your statistics of visits, the external uses of your images. For example with AWstats, in the page of referring sites, they are the URL counting for visits (hits) but no page seen.

A more violent method would consist in systematically blocking all the sites other than yours. This solution should be considered only as a last resort, if you're upset! Indeed, some visitors have their browser or their anti-virus configured to block referrer. They would not any image of your site. ;-)


And as it's my day of kindness, here's the content of the file forbidden.php which will display the bad dialog box for identification:

header('WWW-Authenticate: Basic realm="A image from this page was taken without authorization on (abusive use of our content/hotlinking issue)"');
header('HTTP/1.0 401 Unauthorized');

cafĂ© Did this article help you? 
Buy me a coffee!

Leave a comment (all comments are moderated, don't waste time with spam)

Azure Dev