While lacking proper documentation, this set of mod_rewrite rules is useful to prevent hotlinking on drupal based sites. It supports both public and private file download methods so people cannot "hotlink" images, movies or the like.

It is something very useful that I would like to see added to the .htaccess file since there are some very big sites starting to use drupal, this might come in handy as a "ready to go" feature. It does not require any specific location in the mod-rewrite IF block. I am currently using it on http://evilsquid.net (my own site) and have not had any issues thus far with it. Feel free to take some of my words to make the documentation of it more clear for the general public.

You can go even further by removing the RewriteCond %{HTTP_REFERER} !^$ to make images only viewable from your website. Good, but can have problems and recorse on certian sites. While tempting, that option should not be commented out without properly analyzing your network traffic.

I did not write any documentation as I can have trouble with words and explaining myself. I know words and things of the like, but communicating them to my fingers is another story all together. Hopefully someone with more tact and skill will write verbose, easy to understand comments for the general user base.

  # Prevent hotlinking
  RewriteCond    %{REQUEST_FILENAME} \.(gif|jpe?g|png)$ [NC,OR]
  RewriteCond    %{QUERY_STRING} \.(gif|jpe?g|png)$ [NC]
  RewriteCond    %{HTTP_REFERER} !^$
  RewriteCond    %{HTTP_REFERER} !^http://([a-z0-9]+\.)?yourdomain\.here [NC]
  RewriteCond    %{HTTP_REFERER} !^http://([a-z0-9]+\.)?google\.com [NC]
  RewriteRule    (.*) - [F,L]

Dibs to http://underscorebleach.net/jotsheet/2004/06/htaccess-prevent-hotlinking for giving me a starting point.

Comments

morbus iff’s picture

morbus iff
they/them
commented
Status: Active » Closed (won't fix)

Won't fix. This has nothing to do with Drupal, and is standard website administration. And some people, believe it or not, want to maintain the spirit of the web (preventing image hotlinking is nothing more than a rabid Ticketmaster running around suing for deep links).

crackerjackmack’s picture

crackerjackmack commented
Status: Closed (won't fix) » Active

While it maybe your view to promote the spirit of the web, I've had many requests for code to prevent hot linking. I've done a lot of testing to ensure that this code works with drupal. Because I've had quite a few requests for it, I believed that it would be useful to the community and should be include with drupal core.

Take this (true) example. A female model competition site had hosting with a company on a shared hosting plan. They were given a notice that if they did not take measures to prevent hot linking their hosting would be in terminated per the AUP that was in place with that hosting company. Regardless if they believed in the spirit of the web, transfering to a new server, takes time. Maybe they only need to impliment hotlinking for a few days while they transfered their data to a new hosting provider, and maybe they just hate leeches and left it up for the remainder of the site's existience. Either way, they asked for this snip of code and I provided it.

I believe, that while you may or may not agree with a view point, it doesn't mean you should deprive users of choices. I believe in choice, despite the true existince of it. I believe that my viewpoints are void when people are given a choice. We could get into a deep debate about all of that, but I shall try to spare everyone.

I think as a comprimise, there should be a hotlinking.txt file with a speach about how much you disagree with hotlinking, and then at the bottom, have this snippet of code. While still providing the choice to users as to whether or not they wish to read your speach, or even use the code. I do not suggest that it be in drupal core .htaccess uncommented by default. I don't agree with that at all and not what I was suggesting in the slightest. I just wanted to have working, drupal-safe, ModRewrite code that was available to the community and not locked up in my private collection of patches and hacks. I've done some tests and I believe it will work with almost any configuration of drupal, thus, I believe it is relavent to drupal. Besides, most "copy-n-paste" ModRewrites do not work with drupal, and is why I worked this one out.

I don't mean to offend and I definantly wasn't asking for a plug. I just wanted the code included as a choice for everyone is all. Nothing personal, I don't honestly use it or want to use it. I had it running on my website as an example only and really have no use for it otherwise.

killes@www.drop.org’s picture

killes@www.drop.org commented

While I agree that the posted code seems usefull for certain cases I doubt it will be included in Drupal core as it isn't really useful for most sites. Maybe it should be posted somewhere here on the site in the tips&tricks section.

morbus iff’s picture

morbus iff
they/them
commented
Project: Drupal core » Documentation
Component: base system » User Guide

I'll be more than happy to review crackerjack's submitted documentation page. Let us know when you've submitted it.

m3avrck’s picture

m3avrck commented
Project: Documentation » Drupal core
Component: User Guide » base system

Yeah depending on hosting setups, people might already have hotlinking in place. I agree the code snippet is very useful and an appropriate book page should be made documenting this so other people can find, since it is certainly useful. However, it outside the scope of Drupal itself (it is a hosting issue, not a drupal issue, do you *just* run drupal on your hosting? you could easily run other galleries etc...)

m3avrck’s picture

m3avrck commented
Project: Drupal core » Documentation
Component: base system » User Guide

hmm looks like double post overrode that classification change

crackerjackmack’s picture

crackerjackmack commented

Thank you for keeping an open mind about this. I will definently be submitting some documentation about this.

sepeck’s picture

sepeck commented
Status: Active » Closed (fixed)

no submitted page, closing.