Tips for Apache Hotlink Protection Using .htaccess

Tips for Apache Hotlink Protection Using .htaccess
Page content

What is Hotlinking?

Hotlinking, also known as leeching, refers to embedding a resource hosted on the servers of one website into the content of another site. A common example of this kind of direct linking would be the use of an image within a forums signature. Because the resource is resident on a third party’s servers the bandwidth required to stream it to the client is taken from that third party server. In the case of services like Amazon S3 or Image Shack, this is fine. But when an unsuspecting webmaster finds their content hotlinked they end up paying for the privilege of their content being used on someone else’s website, in a context they might not want it to be.

The run-up to the 2008 U.S elections brought about a particularly fascinating case of leeching, with presidential candidate John McCain’s MySpace page being found to use hotlinked template files. Unhappy with the context in which the files were used the original author changed an image within the template into a pledge to support gay marriage, causing disruption to McCain’s political campaign.

Apache’s htaccess file is a versatile creation which allows blocking of IP addresses, custom error pages and undetectable redirection of Uniform Resource Indicators (URIs). The last feature is of particular interest when changing the structure of a site, moving to a new domain or, yes, stopping content leeching. Even better the htaccess file works on a folder-by-folder basis, making it easy to exclude just the content you want from direct linking. More information can be found in Apache’s very useful tutorial on htaccess files.

So, let’s assume you have created a htaccess file in your website’s root directory. That means that all your content will be protected against hotlinking. The first thing you need to put into your file is:

RewriteEngine on

This simple command tells the Apache server that you intend to redirect certain requests. This is handled well before anything is sent to the client, and so there’s no way around this redirection. The next stage is to indicate which referrers you would like to give access to. Obviously your own site must be able to access the content, so you want to add a line like this:

RewriteCond %{HTTP_REFERER} !^https://([^.]+\.)? [NC]

Where is replaced by your own domain. Create a similar entry for all sites you wish to exclude from Apache hotlink protection. It is also advisable to add an entry excluding ‘.’, the empty referrer, to ensure that browsers which strip this information are not adversely affected. Once your whitelist has been created the final step is to put in place the actual redirect rule itself:

RewriteRule \.(gif|jpg|png)$ /stophotlinkingme.gif [NC,L]

The example given here will redirect any requests for .gif, .jpg and .png files from referrers that are not on the whitelist to an image called ‘stophotlinkingme.gif’.

Play With Your Protection

The basic example given here would ensure that nobody could leech images from your website. However, why not get a little more creative. Rules can be set in place to stop people linking directly to zip files on your hosting, instead redirecting them to a generic search page. This would ensure that the end-user actually sees your website, and gives you a chance to engage with them. You can also play with the files you redirect to. Showing a 1x1 pixel image will certainly reduce your bandwidth bill, but why not take the opportunity for a bit of cheeky advertising on someone else’s site? The best part is modern browsers cache content when it’s first encountered, meaning that the site owners themselves often never see the replacement image. This can lead to some very confused responses to comments left on their pages, at least until they flush their cache. Experimenting with Apache’s hotlink protection can produce some cool tricks; and after all, isn’t that why so many of us got into IT in the first place?