 |
Vanstechelman.eu | |
|
|
Navigation
My posts on Twitter
- lvanstechelman: For Better Password Policies: OWASP Passfault http://t.co/Tyzk2z6V
- lvanstechelman: XSS attack vector: Eval a url http://t.co/XbbtbivM
- lvanstechelman: New Product: Google Drive http://t.co/OlfyF4oO
- lvanstechelman: @ZIONSECURITY According to http://t.co/i073PUwc the attribute must case-insensitively match the string "HttpOnly"
- lvanstechelman: @ZIONSECURITY My logs contain requests containing the GET parameters like requested by the end-user e.g. /user/login?destination=node%2F1
How to prevent hotlinking
In the webmaster community, "hot linking" is a curse phrase. Also known as "bandwidth stealing" by the angry site owner, it refers to linking directly to non-html objects not on one own's server, such as images, .js files etc. The victim's server in this case is robbed of bandwidth (and in turn money) as the violator enjoys showing content without having to pay for its deliverance. The most common practice of hot linking pertains to another site's images.
There are two ways in which you can prevent hotlinking, but both have a catch. The first one is by using .htaccess, but therefore your webserver has to support mod_rewrite. The second one is only applicable when someone is 'stealing' images from your server. It uses a PHP page to display every picture, but this of course assumes that you have PHP enabled.
Using .htaccess, you can disallow hot linking on your server, so those attempting to link to an image on your site, for example, is shown either the door (a broken image), or the lion's mouth (another image of your choice, such as an image of your favorite pingiun Tux). There is just one small catch- unlike the rest of the .htaccess functionalities we saw earlier, disabling hot linking also requires that your server supports mod_rewrite.
When you don't control the server, you should inquire your web host regarding this. When you do control and maintain the webserver, you should recompile it. To do this with your Apache server, simply add --enable-rewrite to your configure line. A simple line may look like this:
./configure --enable-so --enable-rewrite --prefix=/www
With all the pieces in place, here's how to disable hot linking of images on your site. Simply add the below code to your .htaccess file, and upload the file either to your root directory, or a particular subdirectory to localize the effect to just one section of your site:
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?mydomain.com/.*$ [NC]
RewriteRule \.(gif|jpg)$ - [F]
Be sure to replace "mydomain.com" with your own. The above code causes a broken image to be displayed when its hot linked.
If you're feeling bitter, you can set things up so an alternate image is displayed in place of the hot linked one. The code for this is:
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?mydomain.com/.*$ [NC]
RewriteRule \.(gif|jpg)$ http://www.mydomain.com/nasty.gif [R,L]
Same deal- replace mydomain.com with your own, plus nasty.gif.
Time to pour a bucket of cold water on hot linking!