Prevent hotlinking from
August 14, 2005 5:30 PM   Subscribe

I want to use my .htaccess file to specifically eliminate profiles from hotlinking my files. My code is inside...

I have used the following code (based on this example):

RewriteEngine On
RewriteCond % ^http://(www\.)?myspace\.net/ [NC,OR]
RewriteCond %{HTTP_REFERER| ^http://(www\.)?myspace\.com/ [NC\
RewriteRule \.(jpe?g|gif|bmp|png|mp3|mov|wmv)$ - [F]

This works a little too well. When I go to my website i receive an "internal server error". When I delete the .htaccess file, I'm back in.

I have also tried this code (based on this example):

RewriteEngine On
RewriteCond %{HTTP_REFERER} ^http://(cgi¦profiles¦www\.)?myspace\. [NC,OR]

RewriteRule \.(jpe?g|gif|bmp|png|mp3|mov|wmv)$ - [F]

This seems to work okay, but it won't allow these files to be accessed from within my site (say, the front page of my blog). For instance, I see text, but no pictures. When I delete the .htaccess file, everything is back to normal.

Can anybody help me to write a .htaccess file that will prevent hotlinking from and that will allow hotlinking from other locations (especially my own internal site)? I've Googled, searched AskMetafilter archives and followed examples, but nothing is working quite right. I need someone with experience to take a look at what I'm doing here. For what it's worth, my host is and I don't really know what the backend is. I am throwing the .htaccess file in my /var/www/html/ directory. If you need more info please let me know. Thanks in advance for your help.
posted by bwilms to Computers & Internet (17 answers total) 1 user marked this as a favorite
Mod_rewrite is tricky business, I'm not even going to try to figure out what's going on unless stricly necessary, but you might want to look in your error log, there should be more info there when you get an internal server error.
posted by fvw at 5:37 PM on August 14, 2005

Response by poster: That's a thought. It's by no means absolutely necessary. I am just sick of my bandwidth being sucked by profiles hotlinking my mp3/jpg files. My current solution is renaming the files at the end of the month (as I near my bandwidth limit) in order to break their links, which isn't exactly an elegant solution.
posted by bwilms at 5:50 PM on August 14, 2005

three things immediately stand out

1. Internal server error is often the result of your permisisons being set incorrectly, for .htaccess files. Chmod 644, right?

2. it's easier to allow linking from your domain and just disallow it for everyone else. So, something like this [from here]

RewriteCond %{HTTP_REFERER} !^http://(www\.)?*$ [NC]

3. Flush your browser cache when testing. Somewhat more here
posted by jessamyn at 5:59 PM on August 14, 2005

Also doteasy appears to only support htaccess files and custom 404 redirects with their ultra packages, which I'm not sure if you have or not. Doteasy discussion about this here.

A few more points they make

- make sure you edit the file with a text editor
- make sure the editor doesn't rename the file .htaccess.txt
- make sure when you save it you're not introducing any weird line wraps
- make sure when you ftp, you set it to transfer ASCII, not binary

This page should have a script that works for you IF you have an Ultra account in the first place.
posted by jessamyn at 6:14 PM on August 14, 2005

Another way to go would be to do a little creative file renaming for whatever it is they're nabing off your site. I'm sure you know the routine, they link to you for a picture of "their" hot car, you substitute one of a guy passed out on a rusted out Pinto, they link to your prized high-fi Enya collection, you sub in files where the volume is so low for the first minute that they can't hear it, then cut to The Best of "Hot Bitch Cat Fights '98" with the volume set to 11, that kind of thing.
posted by Ken McE at 6:20 PM on August 14, 2005

Response by poster: Thanks for the suggestions. I really appreciate the help.

jessamyn: I would like to avoid blocking all external referers since I want to be able to link files through message boards and such. I am,in fact, an Ultra member at Doteasy. However, I am not positive if I completed those steps. I will be sure to take a little more care when I try to troubleshoot this issue tomorrow afternoon.

Ken McE: I have considered this. I've even gone as far as making custom high-pitched, screeching mp3 files as replacements (which admittedly was fun), but overall I just want to "set it and forget it".
posted by bwilms at 6:35 PM on August 14, 2005

Here's what I do on my site, copied and pasted exactly:

RewriteEngine on
RewriteCond %{HTTP_REFERER} ^http://(profiles\.)?myspace\.com/.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://(www\.)?myspace\.com/.*$ [NC]
RewriteRule \.(gif|GIF|JPG|jpg)$ [R,L]

It works fine for me. They still link to me, and most of the time they've got the original image they're stealing cached so they don't even see my replacement. Their friends do though, so I at least get a laugh. (Oh, and feel free to use my PNG if you want.)
posted by web-goddess at 7:03 PM on August 14, 2005

I wrote about this on my site a little while ago. I was having the same problem with punk kids linking to my photos.
posted by chunking express at 7:06 PM on August 14, 2005

Well, since you got an internal server error, you most likely have something in your error_log. I'd start there and see what it says.

Off the top of my head, it could be a couple of things.
  • mod_rewrite might not be enabled.
  • The webserver might not be configured to AllowOverrides in your directory.

    If you post what it says in your error_log, we should be able to help you more.

  • posted by Laen at 7:06 PM on August 14, 2005

    Your first example is riddled with syntax errors - I wouldn't use that site as a source of examples as it's clearly clueless. That's why the server is giving you an internal error.

    web-goddess's example is good but it can be simplified. [nc] means not case sensitive, so you don't have to list all different cases of filenames. And you can combine the two conditions into one. Don't use the [or] flag unless you have more than one condition and you want to logically 'or' them.
    RewriteEngine on
    RewriteCond %{HTTP_REFERER} ^http://(profiles\.|www\.)?myspace\.com/.*$ [NC]
    RewriteRule \.(gif|jpe?g|png)$ [NC,R,L]
    This will redirect all queries from,, or for images to the selected asshole url. If you want to forbid the request rather than returning an asshole url use "- [NC,F]" as the predicate of the rewriterule.

    The best reference for mod_rewrite are the apache docs:
    posted by Rhomboid at 9:30 PM on August 14, 2005

    Thanks, Rhomboid. I've actually got, oh, about 50 different banned sites in my list, which I edited down to just show the relevant ones. (That's why I had the OR in there.) Yours is certainly more elegant!
    posted by web-goddess at 2:19 AM on August 15, 2005

    Since no one mentioned it, the 3rd line of the first example has 2 typos: The | after HTTP_REFERER should be a } and the \ at the end of the line should be a ]. They really need to get an editor there.

    My take on the condition line you want is: RewriteCond %{HTTP_REFERER} ^https?://([^/]*\.)?myspace\.com/ [NC]

    This will match all subdomains of, but not domain names that happen to end in (e.g. or referers that that happen to include in the path (e.g. Sure, that may be overly defensive, but in my experience it's always better to be more precise than end up wondering why it's blocking something without knowing why.

    Also, the URL Rewriting Guide has an excellent example of using a host list instead of individual RewriteCond lines, which can scale better if you start adding a lot of sites.
    posted by boaz at 12:22 PM on August 15, 2005

    Best answer: FWIW, here's my code. I wanted the same functionality as you: blacklisting sites as needed instead of blanket-blocking everyone. At first, I was just blocking the www, but have since started killing all subdomains as well. I stick this in the directory that has all my photos. (Improvement suggestions welcomed!)

    <Files .htaccess>
    Order Allow,Deny
    Deny from all

    RewriteEngine On
    RewriteCond %{HTTP_REFERER} ^(http://)?(www\.)?myspace.*$ [NC,OR]
    RewriteCond %{HTTP_REFERER} ^(http://)?(www\.)?planetganja.*$ [NC,OR]
    RewriteCond %{HTTP_REFERER} ^(http://)?(www\.)?livejournal.*$ [NC,OR]
    RewriteCond %{HTTP_REFERER} ^(http://)?(www\.)?ouderalleen.*$ [NC,OR]
    RewriteCond %{HTTP_REFERER} ^(http://)?(www\.)?colors4u.*$ [NC,OR]
    RewriteCond %{HTTP_REFERER} ^(http://)?(www\.)?fark.*$ [NC,OR]
    RewriteCond %{HTTP_REFERER} ^(http://)?(www\.)?novacasa.forumactif.*$ [NC,OR]
    RewriteCond %{HTTP_REFERER} ^(http://)?(www\.)?panicfreaks.*$ [NC,OR]
    RewriteCond %{HTTP_REFERER} ^(http://)?(www\.)?wilderssecurity.*$ [NC,OR]
    RewriteCond %{HTTP_REFERER} ^.*bbsland.*$ [NC,OR]
    RewriteCond %{HTTP_REFERER} ^.*ezboard.*$ [NC,OR]
    RewriteCond %{HTTP_REFERER} ^.*proboards35.*$ [NC,OR]
    RewriteCond %{HTTP_REFERER} ^.*digitalscrapbookplace.*$ [NC,OR]
    RewriteCond %{HTTP_REFERER} ^.*xanga.*$ [NC,OR]
    RewriteCond %{HTTP_REFERER} ^.*nexopia.*$ [NC,OR]
    RewriteCond %{HTTP_REFERER} ^.*costasurf.*$ [NC,OR]

    # Close it out
    RewriteCond %{HTTP_REFERER} ^.*f00.*$ [NC]
    RewriteRule .* - [F,L]

    posted by Hankins at 12:41 PM on August 15, 2005

    Your really ought to refer all those myspace hotlinks to goatse or tubgirl. It's an Internet tradition at this point.
    posted by keswick at 4:12 PM on August 15, 2005

    Response by poster: Hankins: Thanks! I modified your code and it seems to be working like a charm.

    Thanks to everyone for your help. This is going to be a great resource in case I want to tinker around with my .htaccess file some more.
    posted by bwilms at 6:14 PM on August 15, 2005

    Your really ought to refer all those myspace hotlinks to goatse or tubgirl. It's an Internet tradition at this point.
    posted by angry modem at 7:12 PM on August 15, 2005

    Hankins, those regular expressions really ought to be reworked to only match whole words in the domains. If someone made a site and linked to an image on your site it would be blocked because 'ezboard' (and all the others) will match anywhere in the whole referer.
    posted by Rhomboid at 9:52 PM on August 15, 2005

    « Older Grand Canyon reward trip   |   Convert pdf > doc Newer »
    This thread is closed to new comments.