{"id":8898,"date":"2006-03-28T06:56:48","date_gmt":"2006-03-28T13:56:48","guid":{"rendered":"http:\/\/hill-kleerup.org\/blog\/wp\/2006\/03\/28\/protecting-your-image-with-htaccess.html"},"modified":"2006-03-28T06:56:48","modified_gmt":"2006-03-28T13:56:48","slug":"protecting_your","status":"publish","type":"post","link":"https:\/\/hill-kleerup.org\/blog\/2006\/03\/28\/protecting_your.html","title":{"rendered":"Protecting your image (with .htaccess)"},"content":{"rendered":"<p>As part of tracking the current spam problem (and the changes I made to the MT cgi directory yesterday did abruptly cut off all the error log messages &#8212; and, I&#8217;ll note, all the junk trackbacks that have gotten through &#8212; more on that later), I noted in my access logs a lot &#8212; I mean a lot &#8212; of image theft.  Folks &#8212; mostly in <em>myspace.com <\/em>&#8212; linking directly through to images on my blog, rather than hosting the images on their own site (and using their own bandwidth).<\/p>\n<p>Now, most of those images were copied down here by me for fair use purposes, so I can&#8217;t object too strenuously on IP grounds.  But it&#8217;s not their using the images <em>per se<\/em>, but the &#8220;bandwidth theft&#8221; and server traffic impact on me that&#8217;s a problem. Someone is, essentially, making <em>their <\/em>page all pretty on the back of <em>my <\/em>account&#8217;s bandwidth, interfering to some degree with <em>your <\/em>ability to come here and see <em>my <\/em>pretty page.<\/p>\n<p>I have no idea of the impact of this, though, anecdotally, it can be a serious problem on some sites.  But it&#8217;s a known discourtesy, and folks have come up with any number of ways to prevent it.<\/p>\n<p><!--more--><\/p>\n<p>E.g.:<\/p>\n<ul>\n<li><a href=\"http:\/\/www.thesitewizard.com\/archive\/bandwidththeft.shtml\" target=\"_blank\">Preventing Image Bandwidth Theft With .htaccess<\/a> (The Site Wizard)\n<li><a href=\"http:\/\/www.yourhtmlsource.com\/sitemanagement\/bandwidththeft.html\" target=\"_blank\">Bandwidth Theft<\/a> (HTMLSource)\n<li><a href=\"http:\/\/underscorebleach.net\/jotsheet\/2004\/11\/stop-image-hotlinking-tutorial-htaccess-apache\" target=\"_blank\">Preventing image hotlinking: An improved tutorial<\/a> (Underscorebleach.net)\n<li><a href=\"http:\/\/altlab.com\/htaccess_tutorial.html\" target=\"_blank\">Stop Hotlinking and Bandwidth Theft with HTACCESS<\/a> (Altlab).  Includes a helpful tester to see if the image is showing up.\n<li><a href=\"http:\/\/www.tomrafteryit.net\/using-htaccess-to-stop-remote-image-linking-hotlinking-and-bandwidth-theft\/\" target=\"_blank\">Using .htaccess to stop remote image linking (hotlinking) and bandwidth theft<\/a> (Tom Rafferty)\n<li><a href=\"http:\/\/www.tomrafteryit.net\/block-hotlinkers-but-allow-some-sites-remote-access-to-images-using-htaccess\/\" target=\"_blank\">Block hotlinkers but allow some sites remote access to images using .htaccess<\/a> (Tom Rafferty)\n<li><a href=\"http:\/\/helpdesk.islandnet.com\/help\/imagetheft.php\" target=\"_blank\">Preventing Image Bandwidth Theft<\/a> (Islandnet.com)<\/ul>\n<p>All of the above discuss how to deal with the problem, which is basically modifying the .htaccess file in your images directory &#8230;<\/p>\n<p><small>&#8230; you do have all your images in their own directory, don&#8217;t you?  That would certainly be convenient &#8230;<\/small><\/p>\n<p>&#8230; so that requesters end up with zilcho (a broken image icon) when they point to it.<\/p>\n<p>There are essentially two ways of doing this.  Most sources use mod_rewrite to check out the request (&#8220;RewriteCond %{HTTP_REFERER}&#8221;) and block it.  The HTMLSource article above is an example of this.<\/p>\n<p>A couple of sites, though, suggest using <a href=\"http:\/\/httpd.apache.org\/docs\/1.3\/mod\/mod_setenvif.html\" target=\"_blank\">SetEnvIfNoCase<\/a> (Site Wizard and Islandnet, above).  From what I&#8217;ve seen elsewhere, this is becoming the preferred mechanism for doing this sort of checking, if your server supports it (not all do, or did).<\/p>\n<p><small>(By the way, if I commit a technical gaffe here, please feel free to correct me.  I&#8217;m learning here by example.)<\/small><\/p>\n<p>So here&#8217;s what I&#8217;ve ended up putting in the <em>.htaccess <\/em>file of my \/blog\/images\/ directory.  (I do have other places where images reside, but they&#8217;re a lot less likely to be being stolen from):<\/p>\n<blockquote>\n<pre>SetEnvIfNoCase Referer \"^$\" locally_linked=1\nSetEnvIfNoCase Referer \"!^http:\/\/.$\" locally_linked=1\nSetEnvIfNoCase Referer \"^http:\/\/(www.)?hill-kleerup.org\" locally_linked=1\nSetEnvIfNoCase Referer \"^http:\/\/216.239.(3[2-9]|[45][0-9]|6[0-3]).*(www.)?hill-kleerup.org\" locally_linked=1\nSetEnvIfNoCase Referer \"^http:\/\/babel.altavista.com\/.*(www.)?hill-kleerup.org\" locally_linked=1\nSetEnvIfNoCase Referer \"^http:\/\/216.243.113.1\/cgi\/\" locally_linked=1\nSetEnvIfNoCase Referer \"^http:\/\/search.*.cometsystems.com\/search.*(www.)?hill-kleerup.org\" locally_linked=1\nSetEnvIfNoCase Referer \"^http:\/\/.*searchhippo.com.*(www.)?hill-kleerup.org\" locally_linked=1\nSetEnvIfNoCase Referer \"^http:\/\/[^.\/]*\\.bloglines\\.com\" locally_linked=1\nSetEnvIfNoCase Referer \"^http:\/\/[^.\/]*\\.search\\?q=cache\" locally_linked=1\nSetEnvIfNoCase Referer \"^http:\/\/[^.\/]*\\.talkr\\.com\" locally_linked=1\nSetEnvIfNoCase Referer \"^http:\/\/[^.\/]*\\.google\\.\" locally_linked=1\n&lt;FilesMatch \"\\.(gif|png|jpe?g|bmp)$\"&gt;\nOrder Allow,Deny\nAllow from env=locally_linked\n&lt;\/FilesMatch&gt;<\/pre>\n<\/blockquote>\n<p>Essentially, any request to a file in that directory (or anything below it) will be evaluated as to where it&#8217;s coming from (the &#8220;Referer&#8221; (sic) value).  If the Referrer is blank, or contains some firewall-inserted text, or (most importantly) is from my own domain (i.e., an image is being called by a web page or my account), then we want that to pass.  (Ditto for some domains that may have images I&#8217;m intentionally hosting here; I&#8217;ve left those off the above listing).  <\/p>\n<p>There are also some bits under that to allow some search engines and RSS aggregators (and the Babelfish translator) to show the images properly.  That&#8217;s okay by me, because that&#8217;s someone actually looking at my page.  But anyone else is Denied access to the image.<\/p>\n<p>The result of all this? Well, <a href=\"http:\/\/profile.myspace.com\/index.cfm?fuseaction=user.viewprofile&#038;friendid=15222505\" target=\"_blank\">some<\/a> <a href=\"http:\/\/profile.myspace.com\/index.cfm?fuseaction=user.viewprofile&#038;friendid=19461950\" target=\"_blank\">folks<\/a> (&#8220;don&#8217;t be a carbon copy. be original. be yourself.&#8221;) who were linking to images directly off my page (either themselves, or commenters), instead of doing the polite thing and downloading said images and putting them on their own site directly, now have little broken graphics instead.  Huzzah!<\/p>\n<p>Note that some solutions to this problem instead redirect the image request to a different image (e.g., something with eye-splitting colors, or something embarrassing, or something that says &#8220;I AM A THIEF!,&#8221; <a href=\"http:\/\/www.cartooncottage.com\/html\/bandwidththeft.html\" target=\"_blank\">etc<\/a>.).  Those solutions can be found in the above links, too.   I&#8217;ve decided not to do that, but instead just leave them with a broken image showing up.  If I were to do it, it would probably be a tasteful little colored block (say, green with yellow text) that says, &#8220;If you like the image, then host it on your own server, please; don&#8217;t steal my bandwidth.&#8221;<\/p>\n<p><small>Yes, I&#8217;m far too polite for this line of work.<\/small><\/p>\n<p>Some people watch their referrer logs and <a href=\"http:\/\/www.deuceofclubs.com\/switcheroo\/\" target=\"_blank\">tailor replacement images<\/a>.  Some people even make it <a href=\"http:\/\/www.maxreactor.com\/hotlinkers\/\" target=\"_blank\">a game<\/a>.  But that&#8217;s waaaay to labor-intensive for me.<\/p>\n<p>Here&#8217;s an <a href=\"http:\/\/www.htaccesstools.com\/hotlink-protection\/\" target=\"_blank\">automated tool for generating a .htaccess file<\/a> to do the above sort of thing (using the mod_rewrite method).<\/p>\n<p>Your site may also, <a href=\"http:\/\/www.webmasterstop.com\/107.html\" target=\"_blank\">through cPanel<\/a>, have a &#8220;Hotlink Protection&#8221; function.  Now that I&#8217;ve done all this work, I discover that, hey, <a href=\"http:\/\/hmhelpdesk.com\/index.php?action=kb&#038;article=114\" target=\"_blank\">my host has that<\/a>.  On the other hand, that&#8217;s a blank block across the entire site; I kind of like (at this point) tailoring it for a specific directory.  I also like the nuances of the above list (for aggregators, Google images, etc.) that might or might not (as I try to translate the query language) come into play there.  <\/p>\n<p>Whatever you do, test it before and after to confirm that you haven&#8217;t messed things up.  And as part of that testing via thieving sites, be sure and flush your cache so that you&#8217;re not just seeing images stored on your PC.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>As part of tracking the current spam problem (and the changes I made to the MT cgi directory yesterday did abruptly cut off all the error log messages &#8212; and,&#8230;<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_seopress_robots_primary_cat":"","_seopress_titles_title":"","_seopress_titles_desc":"","_seopress_robots_index":"","_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[3],"tags":[],"class_list":["post-8898","post","type-post","status-publish","format-standard","hentry","category-blogging"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack-related-posts":[{"id":8876,"url":"https:\/\/hill-kleerup.org\/blog\/2006\/03\/31\/myspace_tries_t.html","url_meta":{"origin":8898,"position":0},"title":"MySpace tries to be safer","author":"***Dave","date":"Fri 31-Mar-06 2:14pm","format":false,"excerpt":"News Corp., which owns MySpace.com, has taken down some 200,000 \"objectionable\" profiles from its site. The objections being to \"hate speech\" or material that was \"too risqu\u00e9.\u201d (No word on...","rel":"","context":"In &quot;Blogging &amp; Internet&quot;","block_context":{"text":"Blogging &amp; Internet","link":"https:\/\/hill-kleerup.org\/blog\/category\/blogging"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":4194,"url":"https:\/\/hill-kleerup.org\/blog\/2003\/01\/21\/bandwidth.html","url_meta":{"origin":8898,"position":1},"title":"Bandwidth","author":"***Dave","date":"Tue 21-Jan-03 12:07pm","format":false,"excerpt":"Penises have higher bandwidth than cable modems. \"I got your broadband right here, baby!\" (via InstaPundit)...","rel":"","context":"In &quot;Science &amp; Nature&quot;","block_context":{"text":"Science &amp; Nature","link":"https:\/\/hill-kleerup.org\/blog\/category\/science"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":12591,"url":"https:\/\/hill-kleerup.org\/blog\/2008\/03\/14\/how_to_be_bloggable.html","url_meta":{"origin":8898,"position":2},"title":"How to be bloggable","author":"***Dave","date":"Fri 14-Mar-08 7:35pm","format":false,"excerpt":"Or, rather a list of 17 ways to keep from not being bloggable.\u00a0\u00a0This article by Cory Doctorow (BoingBoinger extraordinaire) is not saying how to be worthy of being blogged about,...","rel":"","context":"In &quot;Blogging &amp; Internet&quot;","block_context":{"text":"Blogging &amp; Internet","link":"https:\/\/hill-kleerup.org\/blog\/category\/blogging"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":12823,"url":"https:\/\/hill-kleerup.org\/blog\/2008\/09\/22\/bandwidth_2.html","url_meta":{"origin":8898,"position":3},"title":"Bandwidth","author":"***Dave","date":"Mon 22-Sep-08 7:11am","format":false,"excerpt":"Well, I got my official email notification from Comcast that, for residences, 250Gb of bandwidth throughput is considered excessive in the future. In the updated AUP, we clarify that monthly...","rel":"","context":"In &quot;Media Moguls&quot;","block_context":{"text":"Media Moguls","link":"https:\/\/hill-kleerup.org\/blog\/category\/media\/media-moguls"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":2722,"url":"https:\/\/hill-kleerup.org\/blog\/2002\/09\/30\/thanks_julia.html","url_meta":{"origin":8898,"position":4},"title":"Thanks, Julia &#8230;","author":"***Dave","date":"Mon 30-Sep-02 4:00pm","format":false,"excerpt":"... for making me burn another chunk of my company's bandwidth before I went home. Oh, mama ......","rel":"","context":"In &quot;Media &amp; Culture&quot;","block_context":{"text":"Media &amp; Culture","link":"https:\/\/hill-kleerup.org\/blog\/category\/media"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":848,"url":"https:\/\/hill-kleerup.org\/blog\/2001\/11\/09\/homeless_the_se.html","url_meta":{"origin":8898,"position":5},"title":"Homeless, the Sequel","author":"***Dave","date":"Fri 9-Nov-01 11:39am","format":false,"excerpt":"The good news, per Averdata: Nobody reads me, so, yes, \"the bandwidth usage of your site is low.\" The bad news, per Averdata: Their logs still indicate that \"the server...","rel":"","context":"In &quot;Blogging &amp; Internet&quot;","block_context":{"text":"Blogging &amp; Internet","link":"https:\/\/hill-kleerup.org\/blog\/category\/blogging"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]}],"_links":{"self":[{"href":"https:\/\/hill-kleerup.org\/blog\/wp-json\/wp\/v2\/posts\/8898","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/hill-kleerup.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/hill-kleerup.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/hill-kleerup.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/hill-kleerup.org\/blog\/wp-json\/wp\/v2\/comments?post=8898"}],"version-history":[{"count":0,"href":"https:\/\/hill-kleerup.org\/blog\/wp-json\/wp\/v2\/posts\/8898\/revisions"}],"wp:attachment":[{"href":"https:\/\/hill-kleerup.org\/blog\/wp-json\/wp\/v2\/media?parent=8898"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/hill-kleerup.org\/blog\/wp-json\/wp\/v2\/categories?post=8898"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/hill-kleerup.org\/blog\/wp-json\/wp\/v2\/tags?post=8898"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}