Better image hotlinking control

Published on:

Ben Hammersley warns about an architectural issue with blocking image theft and online aggregators:

if you publish a full content feed, web-based aggregators won’t be able to display any images it might contain if you’ve set up apache to prevent bandwidth-stealing by people posting your images on another page. Obvious, yes, but significant.

Later this week I resorted to use this htaccess technique to prevent image hotlinking. This didn't prevent the images to appear in my aggregator (NetNewsWire) but I realize it would cause trouble to those using web-based aggregators.

Sophie left me a comment with a better alternative, which consists of specifically blocking the offenders rather than flat out refuse all image hotlinking. That what I implemented today, with these rules:

RewriteEngine On
RewriteCond %{REQUEST_URI} !hotlinkImage\.gif$
RewriteCond %{HTTP_REFERER} http://.*pallavoloromana\.it
RewriteRule .*\.(gif|GIF|jpg|JPG)$ http://www\.padawan\.info/en/images/hotlinkImage\.gif [R,L]

Ben notes that it necessitates to monitor your logs to find the abusers. This is true, it does need a bit of inspection to find the vilains, but blocking all hotlinking now seems to me an over reaction. I think it's more responsible from me to filter out the few abusers rather than block everyone -- and therefore legit users I didn't think about -- even if it requires a bit more work from me.

N.B.: if you want to reuse this technique, you'll need to create an image that will be sent in lieu of the hotlinked one (in my code, it's located at www.padawan.info/en/images/hotlinkImage.gif) and of course change the URL to match your own, as well as the list of offending domains (there is only one in this example).