Warning: include(img.php) [function.include]: failed to open stream: No such file or directory in /home/scjessey/keystonewebsites.com/articles/hotlinking.php on line 1

Warning: include() [function.include]: Failed opening 'img.php' for inclusion (include_path='.:/usr/local/lib/php:/usr/local/php5/lib/pear') in /home/scjessey/keystonewebsites.com/articles/hotlinking.php on line 1
Keystone Websites: Preventing “hotlinking”

Keystone Websites

Preventing “hotlinking”

Why is this necessary?

“Hotlinking” is a form of bandwidth theft. Basically, when creating a web page it is easy to link to a file (such as an image or a video) that exists on a remote (completely separate) site. Each time the web page is accessed, the file is retrieved from the remote web site.

Consider this example: You have created a personal gallery of cherished images. Someone else likes one of your images, so they post a "hotlink" to that image on a popular forum that they visit. Now that image is plucked from your web server every single time that page of the forum is viewed. It can quickly add up to thousands of requests, eating into your precious bandwidth allocation. To make matters worse, the image is so popular that it begins to appear in several other forums.

How can hotlinking be prevented?

There are several ways you can prevent hotlinking, but the best involve adding lines to your .htaccess file. If you do not already have an .htaccess file, you can create one in a text editor - note the strange filename .htaccess. In the code below, your domain is assumed to be www.example.com. You will need to change the code to reflect your own domain name. Please note: this technique will only work on the Apache web server.

Replacing images

Deny all remote servers

The following code will cause the remote server to display no_hotlink.jpg instead of the requested image:

RewriteEngine On
RewriteCond %{HTTP_REFERER} !^http://(www\.)?example\.com/ [NC]
RewriteCond %{HTTP_REFERER} ^http:// [NC]
RewriteCond %{HTTP_REFERER} !^$
RewriteRule \.(jpe?g|gif|png)$ images/no_hotlink.jpg [R,L]

Allow hotlinking from only a specified directory

The following code will cause the remote server to display no_hotlink.jpg instead of the requested image, unless the image has been requested from a specified directory (dir):

RewriteEngine On
RewriteCond %{HTTP_REFERER} !^http://(www\.)?example\.com/dir/ [NC]
RewriteCond %{HTTP_REFERER} ^http:// [NC]
RewriteCond %{HTTP_REFERER} !^$
RewriteRule \.(jpe?g|gif|png)$ images/no_hotlink.jpg [R,L]

Allow hotlinking to all but specified domains

The following code will cause the remote server to display no_hotlink.jpg instead of the requested image, but only when the image has been requested by badsite.net or badsite.com:

RewriteEngine On
RewriteCond %{HTTP_REFERER} ^http://(www\.)?badsite\.net/ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://(www\.)?badsite\.com/ [NC]
RewriteRule \.(jpe?g|gif|png)$ images/no_hotlink.jpg [R,L]

Preventing bandwidth theft

Instead of replacing the image, these methods will simply deny the remote domain access to the images altogether, thus preventing any bandwidth theft.

Blocking all domains

The following code will return a 403 Forbidden error instead of the requested image:

RewriteEngine On
RewriteCond %{HTTP_REFERER} !^http://(www\.)?example\.com/ [NC]
RewriteCond %{HTTP_REFERER} ^http:// [NC]
RewriteCond %{HTTP_REFERER} !^$
RewriteRule \.(jpe?g|gif|png)$ - [F]

Blocking specific domains

The following code will return a 403 Forbidden error instead of the requested image, but only when the image has been requested by badsite.net or badsite.com:

RewriteEngine On
RewriteCond %{HTTP_REFERER} ^http://(www\.)?badsite\.net/ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://(www\.)?badsite\.com/ [NC]
RewriteRule \.(jpe?g|gif|png)$ - [F]

This article was written on April 02, 2005 and last updated on April 05, 2005.
Thanks to Jim Dabell for assistance in refining this article.