You Are Here: Home »Tutorials»General »   Stop hotlinking Thursday November 20th 2008

Disable hotlinking via htaccess and mod_rewrite

Introduction

Wherever your website is hosted, you'll have a limit on the total amount of data transfer (bandwidth) you can use per month before you need to start paying out for more. Unfortunately people don't really consider this when they decide to directly link to files hosted on your site from other websites and forums, the most common problem being images.

Using .htaccess files and apaches mod_rewrite we can restrict the domains that are allowed to directly link to our files meaning people wont be able to post your images or other files all over the web and eat up all the data transfer that you pay for.

Create The File

Firstly, you'll want to create a .htaccess file, this is the file that'll contain the rules we need to prevent people linking directly to our files, so create and save a new file as ".htaccess" it should be exactly that with no .txt .html or other extension. When saving the file in notepad make sure you include the quotes which will stop any extension being added.

.htaccess files will work through your directories, for example if you place the file in your main/root folder the rules within it will apply to all directories on your site, but if the file is placed into a specific directory eg: /images/ the rules will only apply to that directory and any below it, so decide which files you want to prevent access to and then you can work out where your .htaccess file needs to be.

Before going any further you might find that you already have a .htaccess file in your main/root directory depending on any scripts you might have already installed or how the user accounts on your server are configured, if you do then you can discard the new file and add the code from below into the existing one.

The Code

Now we can edit the .htaccess file we created (or your existing one) and add the following lines:

RewriteEngine on
RewriteBase /
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?domain.com(/)?.*$ [NC]

The first line just enables the mod_rewrite engine, the second means any paths we specify later on will be treated a relative to your home directory. (eg: if you specify the path /stuff/images it'll reference yourdomain.com/stuff/images regardless of where your .htacess file is located)

Edit the domain in line 3 to your own. Lines 2 and 3 are telling the server to look for non-empty HTTP_REFERER strings that match your domain as obviously you want to be able to link to your own files.

If you want to allow certain other domains to link directly to your files or images, for example you might use images in your signature on a forum you visit, you can specify those domains by just adding additional lines in the same format as above, eg:

RewriteCond %{HTTP_REFERER} !^http://(www\.)?domain.com(/)?.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://(www\.)?another_domain.com(/)?.*$ [NC]

Next we need to decide which files we want to prevent people hotlinking to and what we want to do with requests made by people who try. The most common way, if we just want to prevent hotlinking to images would be to use the following:

RewriteRule .*\.(gif|jpe?g|png|bmp)$ [F,NC]

To quickly explain the flags at the end of the rule [F, NC] The F flag tells the browser that it's forbidden from accessing the file, the NC flag says to ignore case so 'image.jpg' and 'image.JPG' would be blocked just the same. The use of the question mark in 'jpe?g' means the previous character is optional, so with this we're covering both .jpg and .jpeg file types.

Using the above will mean that anybody directly linking to images of the specified types from a domain other than those you added in the first few lines will not see the images, they will only see that well known red X (Internet Explorer) or simply nothing as if the image doesn't exist.

If you want to use a default image that shows up instead like the ones you've probally seen that state "NO HOTLINKING ALLOWED" or similar, change the last line to the following:

RewriteRule \.(gif|jpe?g|png|bmp)$ /images/myimage.gif [L,NC]

Just edit the path and filename for the image you want to be displayed, but remember that if you're using this to reduce your bandwidth, the last option isn't ideal because people are still linking to an image on your site just that it's images/myimage.gif rather than the one they chose, so if you're going to stick with the first option the full code you now have in your .htaccess file should look something like this:

RewriteEngine on
RewriteBase /
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?domain.com(/)?.*$ [NC]
RewriteRule .*\.(gif|jpe?g|png|bmp)$ [F,NC]

And that's all you need. Remember when saving the changes to the file to ensure that there's no .txt or other extension added to the end.