One of the most annoying things I run across when running a web-site is the theft of bandwidth, my bandwidth. This is most commonly done through the direct—or hot, if you will—linking to images on my server. The perpetrator is usually someone who thinks that all Internet content is free to use as they see fit. Unfortunately for me and you, we get stuck with the bill. There are some very simple ways to prevent this, unfortunately there is no ultimate solution that will prevent it entirely all the time. I’d like to present some basic solutions to keep a lid on heavy hot linking.

The old “Image Switch”

This is most likely the simplest method, yet it lacks automation and also requires you to make changes to your web-site directly. With this method you simply remove the hot linked image or replace it with something that gets the point across that you don’t appreciate being hot linked. The draw back is then you have to go through your entire web-site and repair all the broken links to the (old) image in question, because you’ll have to rename the real image to something else. I think this is a fine method if you have only a few images and a couple of hot linkers, but when you start getting a lot of images and a lot of illegitimate requests this method fails due to it’s heavy upkeep. My main complaint is that it requires you to change valid information architecture just to deal with a few ne’er-do-wells.

.htaccess to the rescue?

This method is better, though not ideal and still requires some upkeep. It may be more difficult for non-programmers, but that’s why I’m writing this down isn’t it? Also this method requires and Apache/UNIX server with mod_rewrite installed and enabled. With this method you can choose two routes “whitelist” or “blacklist” racial and good/evil connotations aside these two types of lists are different but the same.

The whitelist basically tells the server, only accept image requests deriving from these “good” domains. Whereas the blacklist tells the server, accept all image requests except from these “bad” domains.

A whitelist can be a quick and easy way to stop hot linking, but it has a couple of side effects, especially if you want to redirect the requests to a snarky image replacement. The reason a whitelist doesn’t work well is with RSS feeds you can recieve a lot of legitimate requests for images contained within your feed. You may also have advertisment banners that you allow people to directly link to. Now with a whitelist, you will shut out RSS feed readers entirely, but you could add any legitimate domains for banners and buttons, but that could get tedious as you get more popular.

Blacklists on the other hand can be a bit more maintenance free, as they will only block specific requests, for instance, I find a ton of folks over at myspace hot linking to my photos and illustrations, so I place the line;

RewriteCond %{HTTP_REFERER} ^http://(www.)?myspace.com/ [NC,OR]

In my .htaccess file which basically says do not allow any direct or hot linking from myspace.com. Of course there are some other lines you’ll want to put in there to get it to work which I’ll discuss in a second, but it’s important to remind you that you’ll need mod_rewrite installed and enabled on your server for this method to work properly.

Creating a .htaccess file

Just open a text editor and type in;

RewriteEngine on

This line initiates the rewrite engine so that the server will pay attention to the rest of what we want to tell it. Next you want to give the server instructions on what to allow/disallow. For whitelists you use the following line;

RewriteCond %{HTTP_REFERER} !^http://(www.)?YOURDOMAIN.tld/.*$ [NC]

This tells your server to only allow requests from referrers that match YOURDOMAIN, of course you’ll change the YOURDOMAIN to your actual domain name, and the .tld to your top level domain extension .com, .net, .tv etc… You may add other lines to cover other domains you may have or any domains you want to allow requests from.

For blacklists you write the condition like this;

RewriteCond %{HTTP_REFERER} ^http://(www.)?myspace.com/ [NC,OR]

This does the same thing as a whitelist, but in reverse, it allows all requests except ones coming from the listed domains. I prefer blacklists, as they tend to require less upkeep, just need to add a new restricted domain once in a while when they come up. You can place as many domain lines in either list as you want. After the list you need to tell the server which file types you want to prevent direct or hot linking to.

To accomplish this use the line;

RewriteRule .*.(jpg|jpeg|gif|png|bmp)$ http://www.1lotus.com/images/robber.gif [R,NC]

Ok, this is a little more complex but still very simple, the first part of the line;

.*.(jpg|jpeg|gif|png|bmp)$

Says any file with the extension .jpg, .jpeg, .gif, .png or .bmp will be redirected to alternate content. If you want to add additional extensions you can easily do so, just separate each extension with a “|” (the pipe) character, so let’s say I want to stop direct linking to .pdf’s as well, here’s how I would add those in;

.*.(jpg|jpeg|gif|png|bmp|pdf)$

Now the second part of our line;

http://www.1lotus.com/images/robber.gif [R,NC]

Tells the server where to send requests for the images and other media being made by domains on the blacklist or not on the whitelist. In my case I send the perps a pretty snarky and slightly asshole-ish image replacement to get the point across. I know, it’s bad, but I’m really tried of it.

To recap the .htaccess method I have explained—hopefully clearly—here, your .htaccess file should contain the following;

RewriteEngine on Initiates engine
RewriteCond %{HTTP_REFERER} ^http://(www.)?myspace.com/ [NC,OR] for blacklists OR
RewriteCond %{HTTP_REFERER} !^http://(www.)?YOURDOMAIN.tld/.*$ [NC] for whitelists
RewriteRule .*.(jpg|jpeg|gif|png|bmp)$ http://www.1lotus.com/images/robber.gif [R,NC] defines allowed/disallowed extensions and where to send the request.

Then just save the file as .htaccess, and upload it to the root directory of your web-site, usually where your main index.ext file is.

One thing to mention, you may only have one .htaccess file in each directory, so if you already have one that handles friendly urls or error redirect you can add the above code directly to the bottom of the file, just leave out the line;

RewriteEngine on As it should already be in the file elsewhere, and you only need to initiate the engine once.

Other Options?

Now there are other more complex options that would not require mod_rewrite or an .htaccess file. For instance you could use PHP or ASP to purposefully give your images false urls then do a little check to make sure the request for the image is coming through the script and not directly to the image. This is a small example but, it gives you an idea of what can be accomplished. I personally have good success using .htaccess.

If anyone has any suggestions to help make this information better or more clear, I would love to hear it. Thanks for reading I hope you enjoyed it.