What is Hotlinking?
Hotlinking is the process of displaying an image on a website by linking to that same image on a different website. Instead of loading the picture onto their own site, they link to a picture on a different site. When the picture is loading onto the site, it is actually being loaded by the site of origin. If this occurs, it uses the bandwidth of the website that is loading the picture and can cost the website owner’s money since website hosting companies can charge for the amount of data used by the site. This can be prevented by configuring .htaccess files to stop hotlinking. This can be done easily with Nginx (an HTTP operating system).
Use Location Directive
Prevent hotlinking by using a location directive in the configuration file:
location ~ \.(jpe?g|png|gif)$ { valid_referers none blocked mywebsite.com *.mywebsite.com; if ($invalid_referer) { return 403; } }
- Use the pipe | to separate file extensions that you want to protect from hotlinking. Since I want to protect these file extensions: jpe?g, png, and gif, they are each separated by the pipe. Add any other file types by placing a pipe between them.
- The valid referrers directive allows you to list sites that are allowed to hotlink. Here you will list all versions of your domain. You can add other sites if you want to allow them to hotlink.
You can also change the location directive to block files from a specific directory. For example:
location /images/ { valid_referers none blocked mywebsite.com *.mywebsite.com; if ($invalid_referer) { return 403; } }
- Instead of listing specific file types, it lists a specific directory. All images on the site will be blocked from hotlinking.
Use the rewrite directive to display a different image instead of the one the website attempted to hotlink. This will discourage the site from hotlinking while also giving your site free publicity.
location ~* \.(gif|png|jpe?g)$ { expires 7d; add_header Pragma public; add_header Cache-Control "public, must-revalidate, proxy-revalidate"; valid_referers none blocked ~.google. ~.bing. ~.yahoo. server_names ~($host); if ($invalid_referer) { rewrite (.*) /static/images/hotlink-denied.jpg redirect; } } location = /static/images/hotlink-denied.jpg { }
- The rewrite shows what image to display instead of the hotlinked image.
Using the location directive is a simple fix to hotlinking. Once this is in place, other websites won’t be able to steal your images or your bandwidth.