Apache Rewrite Module

The mod_rewrite Apache module is one of the best tools you can have on your server to help prevent unauthorized sites "hotlinking" your images or other files. Providing that your server has been set up for it, you can use this module for a number of things.

    * To prevent unauthorised use of files and images
    * To hide the real location of files on the server
    * To translate script input from one format to another
    * To redirect the user based on...
          o time of day
          o file they accessed
          o network they are connecting from
          o or anything else that can identify them as part of a "group" of users

Preventing Hotlinking

The most common use of the RewriteEngine is to limit access to specific file types on the server. To do this, you will need to add some rules and conditions to your .htaccess file so that the server knows what to look for and what to do when it finds requests that don't meet the criteria.

When editing your .htaccess file it is recommended that you use Notepad or equivalant to keep the file clean. Remember to upload the file in ASCII mode!

Here is a generic version of the code you will want to use. Of course you will need to make changes before it will work the way you want it to; replace all instances of you.com with your own domain name and add or remove file types as you see fit.

Rewriteengine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://your_domain.com/.*$ "NC"
RewriteCond %{HTTP_REFERER} !^http://www.your_domain.com/.*$ "NC"
RewriteCond %{HTTP_REFERER} !^http://www.trusted.com/.*$ "NC"
RewriteRule .*\.(gif|GIF|jpg|JPG)$ - "F"
How does it Work?

It's all very well having the code, but you may be interested to know how it works so that you can have a go at editing it to behave more like you want it to. If you ever want to disable the rules, it is much better to use the Rewriteengine statement to switch them off as opposed to commenting them out or deleting them from your file.

The RewriteCond lines tells the server to look for requests with HTTP_REFERER strings that are not empty and that match valid uses of your domain as you define them in the file.

The ! at the start of the condition pattern means not, and so negates the result of the pattern that follows it. ^ and $ are special characters used to match the start and the end of the string in question. So the pattern ^http:// would look for strings starting in http:// and gif$ would match strings ending in gif. The sequence .* will match any character for 0 or more times, and so adding it to the start or end of a particular string will allow fuzzy pattern matching of sorts.

The "NC" flag at the end of the RewriteCond lines tells the server to ignore the case (no case) while looking for matches.

The RewriteRule line tells the server how to deal with the requests that match the condition. In this case it is looking for requests to image files that end in .gif or .jpg (either in all capital letters or all lower case, the options to match are shown in brackets separated by the | character). Note that the . has to be un-escaped by adding a \ in front of it as it is the special character that denotes other characters.

When it finds a request that has passed all the conditions and matches the rule, it will rewrite the request with -, although this could just as easily go to a page on your site. Finally the "F" flag tells the server how to respond to the request, in this particular case, it will tell the browser that it is forbidden from retrieving that file.