Topic: A problem with the HTTP_REFERER

Here's the .htaccess script I made to prevent hotlinking:

RewriteEngine on
RewriteBase /
RewriteCond %{HTTP_REFERER} !^http://(www\.)?my.site.com(/)?.*$ [NC]
RewriteRule .*\.(jpe?g)$ /some_picture.jpe [NC,L]

The problem is it blocks not only the requests from outside of the domain but also requests from Flash viewer :-( Still finding the solution to write the RewriteCond to detect a request is from viewer so I can exclude it from rewriting.

I can see the others have similar problems (searched for referer thru the forum) but still did't find the solution. I think it would't be too difficult (or time consuming) to insert some kind of a referer so it can be detected via RewriteCond to avoid rewriting the requests from the viewer.

Re: A problem with the HTTP_REFERER

I'm not too familiar URL rewriting, but I do know that hotlink protection will break Flash image galleries. AFAIK this is a limitation of the Flash Player.

Felix Turner
SimpleViewer Support Team.

Re: A problem with the HTTP_REFERER

I use the following with my simpleviewer site without issue.

<IfModule mod_rewrite.c>
#Prevent image stealing
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?yoursite.com/.*$      [NC]
RewriteCond %{HTTP_REFERER} !^http://(www\.)?yoursite.com$      [NC]
RewriteRule .*\.(gif|png|jpg)$ - [F,NC]
#END Prevent image stealing
</IfModule>
Mike Richards
SimpleViewer Support Team.

Re: A problem with the HTTP_REFERER

miker wrote:

I use the following with my simpleviewer site without issue.
<snip>

Hi, thanks for answering me. Are you sure your .htaccess still prevents hotlinking? You can use Simpleviewer because the line

RewriteCond %{HTTP_REFERER} !^$

means "don't rewrite the request if HTTP_REFERER is empty". And when Simpleviewer requests the image the referer is empty because viewer doesn't send the referer. However, requesting the picture directly from the browser (direct URL) also means non-existing HTTP_REFERER so I believe now everyone can leech your pictures and the script has no purpose (hotlinking prevention) anymore.

The perfect solution would be to make a minor update to the viewers to make them send a HTTP_REFERER so it can be detected via RewriteCond therefore excluded from the rewriting. It could be any referer but the best solution is if it'd send it's own URL.

Re: A problem with the HTTP_REFERER

Yes I know my hot linking code works at least to some extent, because I have had to duplicate the following lines to allow other sites to link my images.

RewriteCond %{HTTP_REFERER} !^http://(www\.)?yoursite.com/.*$      [NC]
RewriteCond %{HTTP_REFERER} !^http://(www\.)?yoursite.com$      [NC]
RewriteCond %{HTTP_REFERER} !^http://(www\.)?yoursite2.com/.*$      [NC]
RewriteCond %{HTTP_REFERER} !^http://(www\.)?yoursite2.com$      [NC]
RewriteCond %{HTTP_REFERER} !^http://(www\.)?sitexyz.com/.*$      [NC]
RewriteCond %{HTTP_REFERER} !^http://(www\.)?sitexyz.com$      [NC]
etc.
Mike Richards
SimpleViewer Support Team.

Re: A problem with the HTTP_REFERER

miker wrote:

Yes I know my hot linking code works at least to some extent, because I have had to duplicate the following lines to allow other sites to link my images.
<snip>

That is not a surprise because requests from other sites have a non-empty HTTP_REFERER. The problem is anyone can steal your pictures by simply entring URL in the browser window (your very first RewriteCond allows that possibility). Removing the !^$ condition prevents picture stealing but also prevents viewers to access pictures, that is the reason to update the viewers so they can send a referer.

BTW, no need to put 2 lines into your .htaccess for each site you want to allow to link your images. Each

RewriteCond %{HTTP_REFERER} !^http://(www\.)?yoursite.com/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://(www\.)?yoursite.com$ [NC]

you can replace with a single

RewriteCond %{HTTP_REFERER} !^http://(www\.)?yoursite.com(/)?.*$ [NC]

The red part of the regular expression is to meet the conditions from both of the lines:

RewriteCond %{HTTP_REFERER} !^http://(www\.)?yoursite.com(/)?.*$ [NC]

I agree there is a difference between the 2&1 line version of the regexp (one line version doesn't force a slash after .com) but it is irrelevant for this very purpose.

Re: A problem with the HTTP_REFERER

The problem is anyone can steal your pictures by simply entring URL in the browser window.

This is true, but any thing you put up online is potentially up for grabs via downloading, linking, print screening, Firefox's Page Info, etc. The point of hotlink protection is primarily to prevent bandwidth stealing, as there is no infallible way to prevent people from harvesting content. Thank you for your suggestion.

Mike Richards
SimpleViewer Support Team.

Re: A problem with the HTTP_REFERER

Thank you for considering it!

Regards,