Apache

ID #223

How do I stop other websites from using my bandwidth while they steal images, flash, etc. from my site?

Applies to: Grid System

It is possible for other websites to serve your content to their visitors by linking to your objects from their webpages. For example, www.badsite.com might have some html on their site like

<img src="http://yoursite.com/img.gif" alt="" />

That would make it so that for every visitor to badsite.com, yoursite.com would serve an image. This image would be out of context from your website, and the badsite.com visitor would never know the image was coming from yoursite.com and would not visit yoursite.com. This is also known as "hotlinking".

The reason it is bad, aside from theft of copyright, is because those visitors from badsite.com are using up yoursite.com's bandwidth allowance. If there is enough traffic at badsite.com, then yoursite.com could end up being charged a lot of money for bandwidth usage that went to the benefit of badsite.com.

This type of bandwidth theft can happen with any media type (zip, pdf, swf, wav, mov, mp3, etc.), not just images.

There are several things you can do to prevent people from hotlinking to your property, and using your bandwidth, to serve their visitors at some other website.

  • If you would like to block all websites other than your own from serving objects (images, flash files, etc) from your site, then you can use the following mod_rewrite rules in a file named .htaccess (include the period in the filename). The rules will protect all files in the same directory as the .htaccess file, as well as all directories below the one that contains the .htaccess file. The .htaccess file must be a plain text file in ascii format, which means if you write the file on your own computer, you should write it in Notepad or another plain text editor (NOT MS Word) and then if you FTP the file to the server, transfer it in ASCII mode, not BINARY mode.

    RewriteEngine On
    RewriteCond %{HTTP_REFERER} !^$
    RewriteCond %{HTTP_REFERER} !^http://yoursite.com [NC]
    RewriteCond %{HTTP_REFERER} !^http://www.yoursite.com [NC]
    RewriteRule .*.(gif|jpg|swf|png)$ - [NC,F]


    The above should be on 5 separate unbroken lines (even though the lines may have wrapped in your browser window) where each newline begins "Rewrite....", and you need to replace "yoursite.com"
    with the domain name of your own website.

  • To block only a few specific sites from serving your objects, you would do the following instead:

    RewriteEngine On
    RewriteCond %{HTTP_REFERER} badsite.com [OR,NC]
    RewriteCond %{HTTP_REFERER} otherbadsite.com [OR,NC]
    RewriteCond %{HTTP_REFERER} thirdbadsite.com [NC]
    RewriteRule .*.(gif|jpg|swf|png)$ - [NC,F]


    The above should be on 5 separate unbroken lines (even though the lines may have wrapped in your browser window) where each newline begins "Rewrite...."

    Also, in both of the above examples, you could also change filename extensions (gif, jpg, swf) to other file extensions, or add other extensions to the list (like mp3, zip) as appropriate.

  • Another option is to make it so that an image or object of your choice is served to visitors of badsite.com instead of the object that badsite.com was trying to steal. This is done by replacing only the last line in either of the above examples with:

    RewriteRule .*.(gif|jpg)$ http://yoursite.com/bad.gif [R,NC]

    all on 1 unbroken line.

    Then, if badsite.com was stealing a GIF or JPEG from you, visitors of badsite.com will see bad.gif (which could be an image that says "This site steals images") instead of any other file that ended in .gif or .jpg. Doing this will still cost you bandwidth since you will continue to serve objects for the other site, just not the ones they wanted.
  • <dd><span style="font-family: courier,monospace;"><img src="http://yoursite.com/img.gif" alt="" /></span></dd>

    Last update: 2010-11-11 17:18
    Author: FAQ Admin
    Revision: 1.3

    Digg it! Share on Facebook Print this record Send FAQ to a friend Show this as PDF file
    Please rate this FAQ:

    Average rating: 4.67 (3 Votes)

    completely useless 1 2 3 4 5 most valuable

    You can comment this FAQ

    Comment of Anonymous:
    Trying to block other websites from letting their visitors directly access your content will not work if you try using "Deny from.." .htaccess directives like:

    deny from www.badsite.com 192.168.72.

    This is because "www.badsite.com" or the IP address of badsite.com "192.168.72.x" is not the one downloading the stolen files. It is the VISITORS of badsite.com that are downloading the stolen files because they are being told to do so by the bad HTML on badsite.com. The "Deny from..." directives can only block individual end clients, and there will be thousands of them, and you will not be able to predict their IP addresses.

    Therefore, the only way the "Deny from..." directive is useful is if you have a specific bad robot or specific end client who is repeatedly doing something bad on your site. Then you can identify that individual by IP address or IP range and deny access to your site.

    For foiling hotlinking, you need to use mod_rewrite. Deny directives will not help you.

    Added at: 2003-03-12 20:07

    Comment of Anonymous:
    When you are testing this, create a new image to upload to your website that your browser has never seen before. That way, your browser won't feed you a cached copy of the image that it cannot get from the protected website, and it won't fool you into thinking the .htaccess protection is not working. To test it, you'll need to go to a page on someone else's website that is trying to hotlink to your test image:

    On some other site, a page that contains:


    Added at: 2003-05-09 22:35

    Comment of Anonymous:
    This script can also be used to protect files from hotlinking:
    http://www.neodelight.com/personal/flo/securemedia
    Added at: 2004-10-13 16:51

    Comment of Anonymous:
    It will protect your swf files if you change the jpg or gif in the example above. I'm using this right now.
    Added at: 2005-03-28 18:05

    Comment of SeMTsWapWiPLGZqMnW:
    Sick and tired of low quality Wp theems? Well now you don't have to suffer with them any more. With the premium WP theme you can fully customize your wordpress blog with various layouts, custom header graphics, backgrounds, styles, social media, and much more. Finally, a fully customizable theme for WP! So what are you waiting for? Grab it today!
    Added at: 2012-06-04 23:58