Page 1 of 1

Hotlink prevention under Apache

Posted: Sat Jul 14, 2007 5:02 pm
by alex.barylski
Not sure if this belongs in security forum, but it was categorized under security in my book, sooo... :)

Hotlinking. The very idea drives me crazy that anyone would attempt such a cheap tactic. Consider the following mod_rewrite technique for preventing hotlinking:

Code: Select all

RewriteEngine On
RewriteCond %{HTTP_REFERER}
    !^http://(www\.)?example\.com/ [NC]
RewriteCond %{HTTP_REFERER} ^http:// [NC]
RewriteCond %{HTTP_REFERER} !^$
RewriteRule \.(jpg|gif|png)& - [F]
I see two problems with this approach.

1) There are many more types of files which you may wish to prevent hotlinking (pdf downloads, etc?) than just the listed files. Perhaps you can change this to prevent hotlinking to anything but HTML files?

2) Isn't HTTP_REFERER a variable which you can spoof? Could you not request a resource from another web site and spoof the HTTP_REFERER

Posted: Sat Jul 14, 2007 6:04 pm
by feyd
This isn't PHP Security.

Moved to Installation.

Re: Hotlink prevention under Apache

Posted: Sun Jul 15, 2007 6:45 am
by superdezign
Hockey wrote:Hotlinking. The very idea drives me crazy that anyone would attempt such a cheap tactic.
Tactic...? I think the prevention would be a tactic, not the use. :-p
Besides, it's always good to watermark your images so that if anyone does hotlink, they viewers would still visit your website (though, you culd do the same with a 'no leeching!' image).
Hockey wrote:1) There are many more types of files which you may wish to prevent hotlinking (pdf downloads, etc?) than just the listed files. Perhaps you can change this to prevent hotlinking to anything but HTML files?
I don't know about all of that. What happens when people don't actually hotlink your content, but simply link to it with an anchor? They're unlikely to link directly to an image, but they may link directly to other types of files, and the HTTP_REFERER would still be the website that was only trying to increase your traffic.
Hockey wrote:2) Isn't HTTP_REFERER a variable which you can spoof? Could you not request a resource from another web site and spoof the HTTP_REFERER
I could be wrong, but I believe it can be spoofed client-side, but server-side... I'm not sure. I guess, if they wanted to, they could attempt to edit it in the header, maybe.

Really, your biggest worry with hotlinking is regular people using your bandwidth on big servers like... Here on the DevNet forums, or on MySpace, or on eBay. They wouldn't have that kind of access.

Re: Hotlink prevention under Apache

Posted: Sun Jul 15, 2007 5:27 pm
by alex.barylski
superdezign wrote: Tactic...? I think the prevention would be a tactic, not the use. :-p
Besides, it's always good to watermark your images so that if anyone does hotlink, they viewers would still visit your website (though, you culd do the same with a 'no leeching!' image).
Watermarking is one method I suppose (but unless the image uploader in a CMS does this for you, you can't expect a client to watermark every image they upload. Besides watermarking doesn't gaurantee(sp?) people visit your web site it just sorta copyrights the material. If you had advertising on the site hotlinking watermarked images wouldn't cut the mustard. Plus watermarking logos wouldn't look very good.
superdezign wrote: I don't know about all of that. What happens when people don't actually hotlink your content, but simply link to it with an anchor? They're unlikely to link directly to an image, but they may link directly to other types of files, and the HTTP_REFERER would still be the website that was only trying to increase your traffic.
Thats still hotlinking IMHO. :)

They are delivering files to their visitors using your bandwidth. Even if it's just a link to a PDF on your site. At a minimum they should link to the page which contains the PDF, so a user see's your web site. If you were downloading a PDF which was branded, then it would make sense to allow external linking; Touche, I didn't think of that one. In the case of a web site which relied on advertising, allowing external linking to a PDF might not make sense. Personally, I would prefer people linked to the web pages and seen the web page, downloading through the site directly.
superdezign wrote: Really, your biggest worry with hotlinking is regular people using your bandwidth on big servers like... Here on the DevNet forums, or on MySpace, or on eBay. They wouldn't have that kind of access
While that is a good point, it isn't the point I am trying to make. :P

Murphy's law: "If something can go wrong, it will!"

Knowing that something can be fixed or improved and not doing anytning about, drives me batty.