Smarter Picture Hotlinking Prevention – A Record Aside

Hey! That’s mine!#section1

Most net professionals are all too conscious of the issues brought on by hotlinkers. Leechers. Bandwidth thieves. Individuals who use photographs hosted in your net server on their very own pages.

Article Continues Under

For some fortunate individuals who don’t pay by the gigabyte for the quantity of information they switch, that’s not too large a deal. Who cares if some little-trafficked weblog makes use of your {photograph} of snow falling in New York?

For different websites, nonetheless, it’s a a lot greater downside. If a 100K JPEG is hotlinked on a web site that will get, say, 1,000 hits a day, that’s 100MB of information transferred out of your web site with out a single individual truly visiting your web site. When you have just a few gigabytes of switch accessible monthly — or worse, pay cash per gigabyte — this may add up. And if somebody have been to leech a whole gallery out of your web site …

The difficulty is that the same old approaches for stopping hotlinking have a few negative effects.

Fast fixes aren’t good#section3

The same old strategy is to instruct the server to disclaim all requests for photographs the place the HTTP referer header 1 shouldn’t be both from your individual web site (or clean). Thus, solely individuals truly searching your website — or these whose browsers should not passing referrer headers for no matter purpose — will have the ability to see the picture.

A second strategy is to redirect off-site visitors to an alternate picture — both a basic “hotlinking denied” picture, or (within the case of some mischievous site owners) one thing extra stunning.

The difficulty with these methods is that common linking can be prevented. Since browsers additionally ship referrer headers when somebody clicks a hyperlink to certainly one of your photographs, the one method for individuals to go on to your footage could be to repeat and paste a hyperlink into a brand new browser window. Granted, some site owners may like this — it ensures that individuals hyperlink to the pages that photographs seem on — however others might want hyperlinks to succeed. Plus, in case you have a gallery web page with plenty of photographs, this technique makes it troublesome for somebody to level on to a specific piece of your unbelievable art work.

The answer I’m about to recommend solves this downside whereas giving credit score to you when individuals hyperlink to your footage.

The place will we go from right here?#section4

With PHP and mod_rewrite, you possibly can disallow embedding and permit linking whereas mechanically creating gallery pages for these direct linkers. It’s the very best of all worlds, and right here’s do it.

You’ll want an Apache server able to operating PHP, with mod_rewrite enabled. In case you don’t know what you have got, ask your internet hosting firm, or give it a strive — if it fails, you’ll know you don’t have them.

First, create a brand new file known as showpic.php and put this code in it:

  header("Content material-type: textual content/html");
  header("Expires: Mon, 26 Jul 1997 05:00:00 GMT");
  header("Cache-Management: no-store, no-cache,
  header("Cache-Management: post-check=0, pre-check=0",
  header("Pragma: no-cache");
  $pic = strip_tags( $_GET['pic'] );
  if ( ! $pic ) {
    die("No image specified.");

<title><?php echo($pic); ?></title>
  http-equiv="Content material-Sort"   c charset=iso-8859-1"


Picture from your website.

</physique> </html>

For sure, you need to change the HTML to match your individual website.

Let’s check out the PHP in there. The primary line is a header to verify the Content material-Sort despatched to the browser identifies the doc as HTML. We’ll see why that is necessary in a second. The second line checks {that a} variable $pic has been handed to the script. If not, it skips to the tip and exits fairly abruptly. Nonetheless, since this script ought to by no means be known as with out that variable (once more, we’ll see why later), that’s not an excessive amount of of a difficulty.

Assuming that this variable is there, the opposite traces of PHP strip any tags from it (to stop cross-site scripting exploits), output the variable in the best place to create a sound tag, and add the file title to the web page <title>.

Up to now, that is only a easy script. Go to and it’ll output a easy web page displaying yourname.gif and a credit score.

Now it will get attention-grabbing#section5

In case you’re an .htaccess neophyte, check out this introduction which can take you thru the fundamentals.

The following step is so as to add the next code to your .htaccess file:

RewriteEngine OnRewriteCond %{REQUEST_FILENAME} .*jpg$|.*gif$|.*png$ [NC]
RewriteCond %{HTTP_REFERER} !^$ 
RewriteCond %{HTTP_REFERER} ! [NC] 
RewriteCond %{HTTP_REFERER} ! [NC]  
RewriteCond %{HTTP_REFERER} !google. [NC] 
RewriteCond %{HTTP_REFERER} !search?q=cache [NC]RewriteRule (.*) /showpic.php?pic=$1

Let’s undergo this one line at a time. RewriteEngine On will get mod_rewrite able to do its stuff. First come the situations:

RewriteCond %{REQUEST_FILENAME} .*jpg$|.*gif$|.*png$ [NC]

Okay. First situation: the file title should finish in .jpg, .gif, or .png. This makes positive our hotlink prevention solely triggers on photographs. You may wish to change this to incorporate .swf, .mp3, or different related information.

RewriteCond %{HTTP_REFERER} !^$

Second situation: the referrer should not be clean. Which means that individuals who aren’t passing referrer headers, for no matter purpose, will nonetheless have the ability to see your photographs.

RewriteCond %{HTTP_REFERER} ! [NC]
RewriteCond %{HTTP_REFERER} ! [NC]

These subsequent situations enable linking from your individual web site, and another pleasant websites that you just wish to enable linking from. Change the websites to your individual, after all. Apache isn’t psychic.

(Don’t know what the ! .*$ is all about? It’s an everyday expression. In case you maintain the format the identical, you don’t want to fret about it.)

RewriteCond %{HTTP_REFERER} !google. [NC] 
RewriteCond %{HTTP_REFERER} !search?q=cache [NC]

Okay. Lastly, let’s let Google get by means of. These final situations enable individuals utilizing the Google cache and Google Picture Search to see your footage. (You may wish to take away this when you don’t need individuals to seek out your footage this fashion, however I don’t suggest it.)

Now let’s hook the 2 collectively. On to the final line of the .htaccess file, which is:

RewriteRule (.*) /showpic.php?pic=$1

This final rule silently redirects the request to /showpic.php?pic=[the requested file]. Due to the surprise of Apache, this can mechanically embrace all essential slashes and path data, and never be seen to the tip consumer.

Now, the one method a request may have received this far is that if:

  • It’s for a picture file, and
  • it’s not coming from a site that you just personal or are buddies with.

So firstly, and most significantly, if somebody tries to hotlink certainly one of your photographs, it’ll fail — the browser, as a substitute of receiving a picture file, will obtain the results of showpic.php, which is distributed as textual content/html. It’ll realise it could actually’t show it, and produce a damaged picture placeholder. Bandwidth saved.

Alternatively, if somebody tries to hyperlink on to your photographs, they’ll get silently redirected to an HTML web page together with your credit score on it! No pink X, no foolish “denied” picture — only a useful web page that exhibits them the picture they wish to see, and offers you credit score in your work.

To start with, let’s verify that the script nonetheless permits photographs to load for individuals visiting your individual website. Sure, that appears nice. Now, let’s see if A Record Aside can hotlink my photographs. Nope, guess not. And what occurs when you simply hyperlink straight to the picture file? Effectively, there’s a properly formatted web page.

In case you’re utilizing some form of content material administration system like Gallery, there may be a technique to tie a script like this right into a database of images, and mechanically generate ALT tags and extra details about the image.

In fact, I’ll depart that as an train for the reader.

1 For some purpose, the HTTP specs misspell “referrer” as “referer.”

Editor’s Observe: The PHP code instance on this article has been edited to handle a small potential cross-site scripting vulnerability, to work with register_globals and short_tag off, and to work with caching. Due to everybody who helped make it higher.

Leave a Comment