Hotlink prevention under Apache
Posted: Sat Jul 14, 2007 5:02 pm
Not sure if this belongs in security forum, but it was categorized under security in my book, sooo... 
Hotlinking. The very idea drives me crazy that anyone would attempt such a cheap tactic. Consider the following mod_rewrite technique for preventing hotlinking:
I see two problems with this approach.
1) There are many more types of files which you may wish to prevent hotlinking (pdf downloads, etc?) than just the listed files. Perhaps you can change this to prevent hotlinking to anything but HTML files?
2) Isn't HTTP_REFERER a variable which you can spoof? Could you not request a resource from another web site and spoof the HTTP_REFERER
Hotlinking. The very idea drives me crazy that anyone would attempt such a cheap tactic. Consider the following mod_rewrite technique for preventing hotlinking:
Code: Select all
RewriteEngine On
RewriteCond %{HTTP_REFERER}
!^http://(www\.)?example\.com/ [NC]
RewriteCond %{HTTP_REFERER} ^http:// [NC]
RewriteCond %{HTTP_REFERER} !^$
RewriteRule \.(jpg|gif|png)& - [F]1) There are many more types of files which you may wish to prevent hotlinking (pdf downloads, etc?) than just the listed files. Perhaps you can change this to prevent hotlinking to anything but HTML files?
2) Isn't HTTP_REFERER a variable which you can spoof? Could you not request a resource from another web site and spoof the HTTP_REFERER