PhotoDude.com

Wed. Jul 28, 2004

Blocking Bandwidth Theft With .htaccess

Inspired in part by the article at A List Apart on Smarter Image Hotlinking Prevention, I decided to try and resolve a problem I had when using this technique in the past. The idea is to use some Apache mod_rewrite instructions in your .htaccess file to check requests for your images. If the request comes from a page outside your domain, the request is denied. This stops people who like to “hot link” your images on their site, and in various web forums, drawing directly on your bandwidth from your server (i.e., you’re paying to serve up your images on someone else’s page). It is a continual problem here (or rather, was)

The standard technique I’ve used in the past had one flaw. It looks in the referral string to find my domain name, and if it doesn’t, request denied. The problem is that these days a lot of you folks use various “privacy” programs, like AddSubtract and Symantec (Norton) Internet Security, which deliberately block the referring URL. Worse, rather than simply leave it blank, they replace it with something odd, like “Referrer blocked by AddSubtract”, or “XXXX:++++++++”, or simply ”-”. With the old .htaccess method, someone using that kind of software would come to my site, perfectly legitimately, and be unable to see the images.

Since this seemed to affect up to 4% of visitors (for no good reason), I eventually decided to drop it. But now I’ve cobbled together a new version of the mod-rewrite rules to address this:

RewriteEngine On
RewriteCond %{REQUEST_FILENAME} .*jpg$|.*gif$|.*png$ [NC]
RewriteCond %{HTTP_REFERER} ^[http|nttp].*$
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !photodude\.com [NC]
RewriteRule \.(jpg|gif|png)$ - [F]

Line 1 turns on mod-rewrite. Line 2 defines the file types. Line 3 says to only look for referrers that begin with http or nttp (this allows the above examples of odd replaced referrers to be served images). Line 4 says “allow images if the referring URL is empty.” That leaves only genuine URL’s to be parsed by Line 4, which requires that my domain name be included in the referring URL for an image to be served. Line 5 instructs the server to deny the request if the conditions aren’t met. The ALA technique replaces that last line with another cool instruction, but I haven’t added that yet.

This has undergone testing that nearly made my head explode, so you know it’s been fully thrashed into submission. In fact, I can report it’s been working for over a week without a single “403 -Denied” message from the server that wasn’t well deserved (there were over 20 pages on eight domains that were pilfering my bandwidth until I put this in place).

At any rate, I thought it might be of use to someone. And provide others with a good nap catalyst.