What is Hotlinking?
Hotlinking is when another website links directly to one or more of your images or multimedia files and includes it on their web page. Not only is this theft of your intellectual property, but further more, you are paying for the bandwidth used by that site. Which can result in a problem with your budget.
The most common way to prevent others from hotlinking your content is Apache’s mod_rewrite. While this a solution that free available to use, there are a couple drawbacks. One being, that Apache has to be configured to use mod_rewrite (–enable-rewrite). Another one being, that for a lot of people writing regular expressions is not the most easiest thing to do.
Of course there are commercial solutions to the problem. Probably the most common one is cPanel. An administration interface for webserver, which let’s you create all the necessary items for your hotlink protection with a matter of clicks, in a matter of seconds.
Problems with common Hotlink Protection
While it may certainly sound promising to take the steps necessary to stop other sites from leaching your bandwidth, there are issues that can come about as a result. There is one major setback to all the server to prevent hotlinking that I have come across, and that is they all rely on using the HTTP_REFERER environment variable to work.
The main problem these days is that people are becoming more and more cautious about the way that web sites use their information. If you do decide to implement anti-leaching techniques that rely on the referer on your site then you should be aware that you could be blocking otherwise legitimate requests. A visitor who chooses to block or cipher their browsers HTTP_REFERER may have come from a page within your domain, but yet they will pass on any recognised values to the server and therefor will be stopped from viewing your images or downloading your files.
Trusted Approach at Easiest level
There are times when you need to store a file (such as one that you sell for profit) outside of the document root of your domain and let the buyers download it via a PHP script so as to hide the real path, web address or URL to that file. Use of this approach enables you to:
- Check for permissions first before rendering the file download thus protecting it from being downloaded by unprivileged visitors.
- Store the file outside of the web document directory of that domain – a good practice in web security in protecting sensitive and important data.
- Count the number of downloads and collect other useful download statistics.
Given that you have put the file to be downloaded via the PHP script in place at /home/user/content/data.tar.gz, write a PHP file with the following content in it and put it in the web document directory where your site visitors can access:
$path = '/home/user/content/data.tar.gz'; // the file made available for download via this PHP file $mm_type="application/octet-stream"; // modify accordingly to the file type of $path, but in most cases no need to do so header("Pragma: public"); header("Expires: 0"); header("Cache-Control: must-revalidate, post-check=0, pre-check=0"); header("Cache-Control: public"); header("Content-Description: File Transfer"); header("Content-Type: " . $mm_type); header("Content-Length: " .(string)(filesize($path)) ); header('Content-Disposition: attachment; filename="'.basename($path).'"'); header("Content-Transfer-Encoding: binaryn"); readfile($path); // outputs the content of the file exit();
Now your site visitors can and can only download the protected file via the PHP script.