Better image hotlinking control

Ben Hammersley warns about an architectural issue with blocking image theft and online aggregators:

if you publish a full content feed, web-based aggregators won’t be able to display any images it might contain if you’ve set up apache to prevent bandwidth-stealing by people posting your images on another page. Obvious, yes, but significant.

Later this week I resorted to use this htaccess technique to prevent image hotlinking. This didn't prevent the images to appear in my aggregator (NetNewsWire) but I realize it would cause trouble to those using web-based aggregators.

Sophie left me a comment with a better alternative, which consists of specifically blocking the offenders rather than flat out refuse all image hotlinking. That what I implemented today, with these rules:

RewriteEngine On
RewriteCond %{REQUEST_URI} !hotlinkImage\.gif$
RewriteCond %{HTTP_REFERER} http://.*pallavoloromana\.it
RewriteRule .*\.(gif|GIF|jpg|JPG)$ http://www\.padawan\.info/en/images/hotlinkImage\.gif [R,L]

Ben notes that it necessitates to monitor your logs to find the abusers. This is true, it does need a bit of inspection to find the vilains, but blocking all hotlinking now seems to me an over reaction. I think it's more responsible from me to filter out the few abusers rather than block everyone -- and therefore legit users I didn't think about -- even if it requires a bit more work from me.

N.B.: if you want to reuse this technique, you'll need to create an image that will be sent in lieu of the hotlinked one (in my code, it's located at and of course change the URL to match your own, as well as the list of offending domains (there is only one in this example).

mensuelles Archives

Recent Entries

  • Steve Jobs

    "Remembering that I’ll be dead soon is the most important tool I’ve ever encountered to help me make the big choices in life. Because...

  • Your privacy on MOTOBLUR by Motorola

    After the Nokia Ovi Store carelessness, it's now Motorola who's allowing strangers to get access to your private information on their MOTOBLUR portal. Exactly like...

  • How to resume a broken ADC download

    (I'm documenting this trick for myself to remember, but it can be useful for others…) Apple, on its Apple Developer Connection site, has a bad...

  • WTF is this ‘myEventWatcherDiv’ doing in my web?

    All of a sudden I started to find the following line in most of the web pages I was browsing, including ones I made where...

  • Your privacy on Nokia Ovi Store

    My friend Adam Greenfield recently complained about the over-engineering culture at Nokia: I was given an NFC phone, and told to tap it against the...