IIS 7 URL Rewriting Rule for images not referred by the website itself

Posted on 2011-10-14
Last Modified: 2012-05-12
New to URL rewriting with IIS 7. I need to redirect to another page for images not referred by the website itself. For example is someone enters "" into their browser it'll redirect the user to "".

I found a few good tips for preventing hotlinking here:, which works great, but nothing like what I want from the above example.

Rewrite rule for preventing hotlinking:

    <rule name="Prevent image hotlinking">
      <match url=".*\.(gif|jpg|png)$"/>
        <add input="{HTTP_REFERER}" pattern="^$" negate="true" />
        <add input="{HTTP_REFERER}" pattern="^http://ruslany\.net/.*$" negate="true" />
      <action type="Rewrite" url="/images/say_no_to_hotlinking.jpg" />

Open in new window

Rewrite Rule for Redirection:

    <rule name="Query String Rewrite">
      <match url="page\.asp$" />
        <add input="{QUERY_STRING}" pattern="p1=(\d+)" />
        <add input="##{C:1}##_{QUERY_STRING}" pattern="##([^#]+)##_.*p2=(\d+)" />
      <action type="rewrite" url="newpage.aspx?param1={C:1}&amp;amp;param2={C:2}" appendQueryString="false"/>

Open in new window

Anyway to somehow combine the rules to do what I want?

Thanks in advance
Question by:Kinjite
    LVL 30

    Accepted Solution

    I don't know why you need to combine them both. They both do 2 different functions. Anyways, the hotlink rule is fine. You just need to change the referer and add the R:0 variable.

                <rule name="Prevent Hotlinking" stopProcessing="true">
                        <match url=".*\.(gif|jpg|png)$" />
                            <add input="{HTTP_REFERER}" pattern="^$" negate="true" />
                            <add input="{HTTP_REFERER}" pattern="http://your\.domain\.com$" negate="true" />
                        <action type="Rewrite" url="/prevent.aspx?{R:0}" appendQueryString="false" />


    Author Comment

    I tried this.

    It works if you refresh the image after its been loaded into the browser. It also works if you paste the image directly into the browser without going to the site.

    Sites like stumbleupon and twitter's redirect links still show the image and this is what I'm trying to prevent. They request millions of photo impressions per month.

    Any way to redirect to the prevent page whether or not the referrer is empty or not AND only allow the image to be show by itself in the browser if its from the domain itself?

    Author Closing Comment

    It works. I forgot to add negate="true" to the conditions

    Featured Post

    Why You Should Analyze Threat Actor TTPs

    After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

    Join & Write a Comment

    by Mark Wills Attending one of Rob Farley's seminars the other day, I heard the phrase "The Accidental DBA" and fell in love with it. It got me thinking about the plight of the newcomer to SQL Server...  So if you are the accidental DBA, or, simp…
    In this article I will describe the Copy Database Wizard method as one possible migration process and I will add the extra tasks needed for an upgrade when and where is applied so it will cover all.
    This video discusses moving either the default database or any database to a new volume.
    Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

    729 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    19 Experts available now in Live!

    Get 1:1 Help Now