Friday, June 8, 2012

Differentiate between hotlinking vs user on site

Is there a way to differentiate between a site that is hotlinking an image vs a user that is actually viewing the image on site?

<img src="">


user viewing directly on

Source: Tips4all


  1. Your server can generally tell the difference between a user looking at an image directly on your domain, and another domain hotlinking your image.

    The usual solution to stop hotlinking and allow direct viewing is through .htaccess, only let Apache serve image files to your domain, do not serve image files to other domains.

    So, a user could still go directly to your image file... since your image is on your domain, but your image could not be used in an image tag on another domain.

    So, somewhere in your .htaccess you would have something like:

    RewriteEngine on
    RewriteCond %{HTTP_REFERER} !^$
    RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)? [NC]
    RewriteRule \.(jpg|jpeg|png|gif)$ - [NC,F,L]

    There are online tools that will help you create these lines of .htaccess.

    Of course you don't have to be this restrictive, you can allow hotlinking in general, but restrict only hotlinking from "trouble domains."

    Further, instead of stoping hotlinking, you can get Apache to serve an image if your choice to hot linkers, instead of the image they request - in the case below:

    RewriteEngine on
    RewriteCond %{HTTP_REFERER} !^$
    RewriteCond %{HTTP_REFERER} !^http://(www\.)?*$ [NC]
    RewriteRule \.(gif|jpg)$ [R,L]

    .htaccess examples.

  2. You can check the referrer, but this is not 100% accurate.

    The user can spoof the referrer and proxies or user settings can strip/alter it.