Preventing image hotlinking

Important update: this entry has been revised with a much better alternative!

As some people think they can hotlink images from anywhere without giving me credit and stealing bandwidth, I had to resort to a little trickery to prevent this to happen.

For the curious, it involves the following piece of code, placed in a .htaccess file within my /images directory. I simply manage it from within MovableType via a template module linked to a file at images/.htaccess with the following module body:

RewriteEngine On
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www.)?padawan.info(/)?.*$ [NC]
RewriteRule .*.(gif|jpg|jpeg|png)$ - [F,NC]

N.B.: if you want to reuse this code, don't forget to replace padawan.info by your own domain. Obviously, this will only work on Apache or those web servers that use the same .htaccess mechanism.

Et voilà, no more hotlinking on images from this site.

Unless I specifically say otherwise, if you want to reuse an image from here, please ask first then host the image on your site.

9 Comments

Does this code prevent people using browsers that do not send HTTP referrers from displaying the images when browsing your site ? [sorry if my question sounds dumb, but this function is sometimes disabled by Mozilla users for possibly good reasons).

I'm afraid it does. I bet it also prevents Google and other robots to get images into their indexes.

_what_ images on this site? ;)

What image is more correct. For some weird reason, this one here has been republished several times.

As my site is mainly devoted to showing photos, and I want people to find me when they search on images.google.com, I've chosen a different path :
I watch my logs, and decide who gets the photos and who doesn't.
I put .htaccess files redirecting the domain names of the offenders towards a .gif file instead of the image they want, this gif file contains my website address.

Rule goes like this :
RewriteCond %{REQUEST_URI} !hotlinkImage\.gif$
RewriteCond %{HTTP_REFERER} http://.*offendingdomain.com
RewriteRule .*\.(gif|GIF|jpg|JPG)$ http://sophie-g\.net/pct/hotlinkImage\.gif [R,L]

I tend to scatter these .htaccess in the images folders, to put less strain on the server... I don't know if it makes a difference.

I like your code idea for its simplicity.

I find too many of my images are wandering off to other sites also.

I've gone the no index/follow route for the search robots, and denied directory listing for those who follow the link address back to surf around.

Still, I wish there was a way to keep people from downloading images for wholesale ripoffs. Like the guy I found who swiped a photo of my cousin and is now using it on Match.com

I don't know of any robust way to prevent someone from downloading an image on their computer and later reuse it. However, there are ways you can embed a watermark, or "taint" an image and later expose that signature to confound someone who've made an unauthorized usage of one of your images.

Search for steganography.

Hi François,

I been having problems with hot-linking too.. Just out of curiosity I tried your hot-linking ability with this tester... and you know. It's telling me your images are still hot-linkable. Try it yourself.

http://www.htmlbasix.com/disablehotlinking.shtml

So, this makes me wonder... is there any effective 'anti-hot-linking' methods anywhere online? Cause I'm STILL looking for a workable script that doesn't break MT. Cheers.

Well, works for me, don't know how that script works.

mensuelles Archives

Recent Entries

  • Steve Jobs

    "Remembering that I’ll be dead soon is the most important tool I’ve ever encountered to help me make the big choices in life. Because...

  • Your privacy on MOTOBLUR by Motorola

    After the Nokia Ovi Store carelessness, it's now Motorola who's allowing strangers to get access to your private information on their MOTOBLUR portal. Exactly like...

  • How to resume a broken ADC download

    (I'm documenting this trick for myself to remember, but it can be useful for others…) Apple, on its Apple Developer Connection site, has a bad...

  • WTF is this ‘myEventWatcherDiv’ doing in my web?

    All of a sudden I started to find the following line in most of the web pages I was browsing, including ones I made where...

  • Your privacy on Nokia Ovi Store

    My friend Adam Greenfield recently complained about the over-engineering culture at Nokia: I was given an NFC phone, and told to tap it against the...