Better image hotlinking control

Publié le :

Ben Hammersley warns about an architectural issue with blocking image theft and online aggregators:

if you publish a full content feed, web-based aggregators won’t be able to display any images it might contain if you’ve set up apache to prevent bandwidth-stealing by people posting your images on another page. Obvious, yes, but significant.

Later this week I resorted to use this htaccess technique to prevent image hotlinking. This didn't prevent the images to appear in my aggregator (NetNewsWire) but I realize it would cause trouble to those using web-based aggregators.

Sophie left me a comment with a better alternative, which consists of specifically blocking the offenders rather than flat out refuse all image hotlinking. That what I implemented today, with these rules:

RewriteEngine On
RewriteCond %{REQUEST_URI} !hotlinkImage\.gif$
RewriteCond %{HTTP_REFERER} http://.*pallavoloromana\.it
RewriteRule .*\.(gif|GIF|jpg|JPG)$ http://www\.padawan\.info/en/images/hotlinkImage\.gif [R,L]

Ben notes that it necessitates to monitor your logs to find the abusers. This is true, it does need a bit of inspection to find the vilains, but blocking all hotlinking now seems to me an over reaction. I think it's more responsible from me to filter out the few abusers rather than block everyone -- and therefore legit users I didn't think about -- even if it requires a bit more work from me.

N.B.: if you want to reuse this technique, you'll need to create an image that will be sent in lieu of the hotlinked one (in my code, it's located at and of course change the URL to match your own, as well as the list of offending domains (there is only one in this example).