Jun 20, 2008

Crafting An Effective Hotlink Response, Part 2

I once believed an image response could shame or punish hotlinkers. It can't and won't. Here's what to do instead.

You can't shame or punish hotlinkers: others will hotlink your hotlink image for themselves. Your own effort redirected against you, like jujitsu.Therefore, the most effective response is nothing; instruct our webserver to deny image requests that don't come from us. In the widely-used Apache webserver it's called a RewriteRule and it looks like this:

Contents of .htaccess file in your site's directory:

1
2
3
4
5
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} (jpe?g|gif|png)$ [NC]
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^https?://([^.]+\.)*example.com/ [NC]
RewriteRule (.*) - [F,L]

The lines translate to:

  1. enable rewriting feature
  2. if an image is requested...
  3. from another website...
  4. and if isn't my site (example.com)...
  5. then Forbid that request

Notes:

  • change "example.com" on line 4 to your own website's address.
  • you may include multiple copies of line 4, one for each domain/website you host, or want to allow to hotlink. i do this for a few select places.
There exists many better explanations of this technique.

Food for thought

By far the worst offenders are high-traffic msgboards that allow images. Users of these boards often do not even have their own site to host from, so hotlinking is the most straight-forward way of expressing themselves. A solution would be for msgboard sites to copy images hosted elsewhere and host them themselves, but that would cost them bandwidth. Another would be to require image URLs to be on a whitelist of domains that allow hotlinking, such as dedicated image hosting sites.

I've considered attempting to punish hotlinkers by redirecting requests back at them. We could target the offending page, or possibly some other target such as /, /favicon.ico, /style.css. The goal being to exact a hotlink-allowance tax in the form of bandwidth. We could even target an intentionally non-existing file on the host such as /some-really-long-rude-string-that-tells-them-not-to-allow-hotlinks-and-uses-up-as-much-disk-space-as-possible.jpg in order to accumulate offending entries in their webserver's error log. This concept seems a bit juvenile, but then so is the web.

Comments

Ryan Flynn is a programmer and problem solver.