
Blocking Image Hotlinking, Leeching and Evil Sploggers with Url Rewrite - shawndumas
http://www.hanselman.com/blog/BlockingImageHotlinkingLeechingAndEvilSploggersWithIISUrlRewrite.aspx
======
blantonl
I use this simple rewrite rule to prevent user submitted images from being
used on other sites...

    
    
      <Directory /images>
              RewriteEngine On
              RewriteCond %{HTTP_REFERER} !^$
              RewriteCond %{HTTP_REFERER} !mydomain.com
              RewriteRule .*\.(gif|jpg|png)$ http://images.mydomain.com/no.gif [NC]
      </Directory>

~~~
krapp
I've used this method too. But I thought the image type you were supposed to
serve as an alternative had to use a nonstandard extension (like .jpe)?

------
pi18n
We seen opportunistic vultures use the DMCA to lawlessly enforce their
censorship, but when a case it's actually designed for comes up...

Maybe he already thought of it, but it might also help to send DMCA notices to
Google as well as the website's registrar and host. I'd love to see a bad guy
get taken down by the good guys for once.

~~~
pdwetz
Agreed that DMCA can also be used, but that only applies to US hosts/sites.
His approach lets you handle other cases and also takes effect immediately.

~~~
pi18n
I was not thinking of that and you are absolutely right.

------
Ricapar
Thank you for using a specific blacklist on HTTP_REFERER.

Worst I've seen done is when sites will throw the stupid "No Hotlinking"
message image when they don't see a matching referrer from the same domain. In
other words, a "fuck you" to anyone who decides to configure their browser to
not send referrers.

~~~
warcode
Configure your browser to send the target domain as the referrer and you won't
have that issue.

In fact it even makes any hotlinking filters set up like this not work at all,
and serve you the picture normally.

------
davidgerard
Of course, Jason Scott already won at this.
<http://ascii.textfiles.com/archives/1011>

------
program
Unfortunately this approach does not work in HTTPS world. See
<https://tools.ietf.org/html/rfc2616#section-15.1.3>

    
    
        Clients SHOULD NOT include a Referer header field
        in a (non-secure) HTTP request if the referring page
        was transferred with a secure protocol.

~~~
RKearney
This only will not work if your page is loaded over HTTPS and your assets are
done over HTTP.

If your site and all of the linked/embedded assets are HTTPS, it will work as
intended.

------
hawleyal
You're breaking the internet.

~~~
Steuard
How? Hotlinking of images on someone else's site has been viewed as
inappropriate as long as I can remember (was it okay before 1995?). It's not
wise design in any case: what if they remove it or reorganize their site?
(Hyperlinks to other peoples' pages have always been okay, but that's not what
we're talking about here.)

~~~
hawleyal
Hotlinking or embedding on another site is not the only thing that breaks.

\- Downloading

\- Search engines

\- Caching

\- Sharing (usually nabs thumbnail)

It's just not a good idea. And it doesn't really work. Any scraper worth their
salt would just fake the referrer and be fine.

------
thomaslutz
The only new thing in this post here is how to do this in IIS, but I guess
nobody is using IIS here.

~~~
junto
Your guess is wrong :)

