Blocking Hotlinking With Apache

One of the downsides of running a website is that you never know what other people may do with your content. It can be copied, edited and shared with ease across the internet. One option is to hotlink your articles. Find out how here.

What Is Hotlinking?

Hotlinking occurs when another website uses a link to load a file from your webspace rather than copying it to their own. Usually this is done with images, though any type of file can be hotlinked. As visitors to the other websites load the page with your hotlinked file they can download the file directly from your server. If a file is hotlinked to a number of popular websites, this can cause your bandwidth usage to increase rapidly.

How To Block Hotlinking

Fortunately, hotlinking can be blocked by your web server fairly easily. With Apache this can be done by creating a .htaccess file in the directory containing the file being hot linked and adding the following lines to it:

RewriteEngine on

RewriteCond %{HTTP_REFERER} !^$

RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)? [NC]

RewriteRule \.(jpg|jpeg|png|gif)$ - [NC,F,L]

  • The first line activates the rewrite engine.
  • The second line tells the rewrite engine not to perform the rewrite rule if the HTTP_REFERER header is blank.
  • The third line tells the rewrite engine not to perform the rewrite rule if the HTTP_REFERER header matches:

The [NC] tells the rewrite engine that it should match not just those four variations of but also to ignore any case changes, so httPS://WwW.YourDomain.COM is equally valid as a match.

The final line is the rewrite rule that does the work, it tells the rewrite engine that for any filenames ending in .jpg, .jpeg, .png and .gif that they should be replaced with a hyphen (-). Again NC is used within square brackets to show that the match should be for any use of upper or lower case letters. The F following the NC informs the Apache that it should server a “403 Forbidden” message to the web browser. Finally the L informs Apache that it shouldn’t process any other rewrite rules.

The Process Explained

So how does this work? Well, when a web browser requests a file from your server it will send an HTTP header called HTTP_REFERER. This contains the address of the web page that linked to the file being requested. This could be due to that file being loaded inline with that page such as a font or image, or the user could have clicked a link on that page to view the file directly. Most web browsers will include the HTTP_REFERER header, though some may leave it blank. It will also be blank if the user typed the URL in directly.

This .htaccess file will cause Apache to check the HTTP_REFERER header for incoming file requests and if it is blank or matches for it will serve the file. If the HTTP_REFERER doesn’t match then the user will be given a 403 Forbidden message. To customize it to your site you simply need to replace “” with your website’s domain name.

If you wish the files to be hotlinked by a number of trusted websites, you can copy the third line and paste it in before the RewriteRule line and again change “” to match the domain name of the site you want to trust. If you wish to block access to the files when the HTTP_REFERER is blank then you can simply remove the second line. Finally, to block more file types than those given you can add the file extensions to the list where jpg, jpeg, png and gif are.

***Note: Remember to use the pipe character (|) to separate each file extension.

The use of a .htaccess file can allow very flexible hotlink blocking and can be quite simple to set up. It also has the advantage that you don’t need to reload the Apache configuration once the file has been put in place.

Never miss another post. Sign up for the weekly 100TB newsletter and follow us on Facebook and Twitter.

Originally published at

Like what you read? Give a round of applause.

From a quick cheer to a standing ovation, clap to show how much you enjoyed this story.