Home
 

Customer Support

Search for keywords:

Browse by category:

How do I stop other websites from using my bandwidth
while they steal images, flash, etc. from my site?

It is possible for other websites to serve your content to their visitors by linking to your objects from their webpages. For example, www.badsite.com might have some html on their site like

<img src=http://yoursite.com/img.gif>


That would make it so that for every visitor to badsite.com, yoursite.com would serve an image. This image would be out of context from your website, and the badsite.com visitor would never know the image was coming from yoursite.com and would not visit yoursite.com. This is also known as "hotlinking".

The reason it is bad, aside from theft of copyright, is because those visitors from badsite.com are using up yoursite.com's bandwidth allowance. If there is enough traffic at badsite.com, then yoursite.com could end up being charged a lot of money for bandwidth usage that went to the benefit of badsite.com.

This type of bandwidth theft can happen with any media type (zip, pdf, swf, wav, mov, mp3, etc.), not just images.

There are several things you can do to prevent people from hotlinking to your property, and using your bandwidth, to serve their visitors at some other website.

  • If you would like to block all websites other than your own from serving objects (images, flash files, etc) from your site, then you can use the following mod_rewrite rules in a file named .htaccess (include the period in the filename). The rules will protect all files in the same directory as the .htaccess file, as well as all directories below the one that contains the .htaccess file. The .htaccess file must be a plain text file in ascii format, which means if you write the file on your own computer, you should write it in Notepad or another plain text editor (NOT MS Word) and then if you FTP the file to the server, transfer it in ASCII mode, not BINARY mode.

    RewriteEngine On
    RewriteCond %{HTTP_REFERER} !^$
    RewriteCond %{HTTP_REFERER} !^http://yoursite.com [NC]
    RewriteCond %{HTTP_REFERER} !^http://www.yoursite.com [NC]
    RewriteRule .*.(gif|jpg|swf|png)$ - [NC,F]

    The above should be on 5 separate unbroken lines (even though the lines may have wrapped in your browser window) where each newline begins "Rewrite....", and you need to replace "yoursite.com"
    with the domain name of your own website.

  • To block only a few specific sites from serving your objects, you would do the following instead:

    RewriteEngine On
    RewriteCond %{HTTP_REFERER} badsite.com [OR,NC]
    RewriteCond %{HTTP_REFERER} otherbadsite.com [OR,NC]
    RewriteCond %{HTTP_REFERER} thirdbadsite.com [NC]
    RewriteRule .*.(gif|jpg|swf|png)$ - [NC,F]

    The above should be on 5 separate unbroken lines (even though the lines may have wrapped in your browser window) where each newline begins "Rewrite...."

    Also, in both of the above examples, you could also change filename extensions (gif, jpg, swf) to other file extensions, or add other extensions to the list (like mp3, zip) as appropriate.

  • Another option is to make it so that an image or object of your choice is served to visitors of badsite.com instead of the object that badsite.com was trying to steal. This is done by replacing only the last line in either of the above examples with:

    RewriteRule .*.(gif|jpg)$ http://yoursite.com/bad.gif [R,NC]

    all on 1 unbroken line.

    Then, if badsite.com was stealing a GIF or JPEG from you, visitors of badsite.com will see bad.gif (which could be an image that says "This site steals images") instead of any other file that ended in .gif or .jpg. Doing this will still cost you bandwidth since you will continue to serve objects for the other site, just not the ones they wanted.

    User-Contributed Notes

    add a note
    12-Mar-2003 20:07 
    Trying to block other websites from letting their visitors directly
access your content will not work if you try using "Deny from.."
.htaccess directives like:

     deny from www.badsite.com 192.168.72.

This is because "www.badsite.com" or the IP address of badsite.com
"192.168.72.x" is not the one downloading the stolen files. It is the
VISITORS of badsite.com that are downloading the stolen files because
they are being told to do so by the bad HTML on badsite.com. The "Deny
from..." directives can only block individual end clients, and there
will be thousands of them, and you will not be able to predict their IP
addresses.

Therefore, the only way the "Deny from..." directive is useful is if you
have a specific bad robot or specific end client who is repeatedly doing
something bad on your site. Then you can identify that individual by IP
address or IP range and deny access to your site.

For foiling hotlinking, you need to use mod_rewrite. Deny directives
will not help you.

    09-May-2003 22:35 
    When you are testing this, create a new image to upload to your website
that your browser has never seen before. That way, your browser won't
feed you a cached copy of the image that it cannot get from the
protected website, and it won't fool you into thinking the .htaccess
protection is not working. To test it, you'll need to go to a page on
someone else's website that is trying to hotlink to your test image:

On some other site, a page that contains:

   <img src=http://www.yoursite.com/image-not-viewed-yet.jpg

where your browser has never seen image-not-viewed-yet.jpg

You should also empty your browser cache before trying to test this. It
is easier to test on a slow connection with a modem, because if you see
the image start loading, you have time to hit the STOP button, fix your
.htaccess file and Reload to retest, since you won't have downloaded and
cached the image in the failed test.
    torfteufel
    13-Oct-2004 16:51 
    This script can also be used to protect files from hotlinking: 
http://www.neodelight.com/personal/flo/securemedia
    anonymous -at- example.com
    28-Mar-2005 18:05 
    It will protect your swf files if you change the jpg or gif in the
example above. I'm using this right now.

    add a note

    Related Questions:


    Why does my website just say "Error 403 Forbidden"?

    How do I protect a directory with .htaccess?

    How can I show a default page other than index.html?

    How do I stop people from getting directory listings when I dont have an index page?

    What do the different HTTP Status Codes like 200, 304, 404, 401, 403 mean?

    What options are configured with Apache and what can I do with .htaccess files?

    How do I protect a directory with mod_auth_mysql?

    Which Apache modules are installed?

    How do I make my own Error Documents to replace the default ones like 404 Not Found?

    How can I make apache recognize different MIME types?

    The webservers' Gzip compression is messing up my XML or Flash files for Netscape 4 browsers. How do I turn off compression?

    How do I get different character sets to display correctly?

    What webserver do you run?

    Will I have access to raw logfiles?

    I created a symbolic link, and now I am getting a 404 errors.

    How do I stop the server from automatically correcting spelling mistakes in URLs or offering multiple choices for documents?

    My mod_rewrite rules make my website stop loading.

    Why am I getting a 412 Precondition Failed from a website?

    How do I protect my website from comment spam?

    How do I enforce the use of SSL on my website?

    How do I redirect traffic to another web page?

    Browse Categories:

    Getting Started, FTP, Telnet/SSH, Moving Domains, E-mail, Traffic Reports, Mailing Lists, Apache, PHP, CGI, Other Server-Side Scripting, MySQL Database, Imaging Libraries, Other Software, Billing & Terms, Control Panel, E-commerce, Pre-Sales


    • Tiny Modwest Logo         Copyright 2000-2008 by Modwest, Inc.          About Us    |    Blog    |    Jobs    |    Web Design    |    Contact Us