Hotlink pictures - redirect traffic to the source website

David Barman
David Barman used Ask the Experts™
on
I have a customer with an ecommerce Magento 1.9.x website.  We have discovered that our hosting package bandwidth usage has gone up considerably.  It appears that some of our product pictures on the site are victim of hotlinking.  I have found some references on how to stop the hotlinking or replace it image when hotlinked.  For example: https://alistapart.com/article/hotlinking/  However, I was wondering is there a way to give the user that viewed the "hotlinked" picture from the remote site, a link back to our site.  If their going to steal our pictures/bandwidth, then maybe we can redirect their visitors to our site??
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
David S.Consultant & Challenge Subduer
Top Expert 2009

Commented:
No, that would be a huge security hole, if you could do that. However, you could redirect hotlinked images to an image that shows nothing but a message about unauthorized use and the URL for your customer's site.

I recommend you check the "referer" (sic) header but allow a blank value since many more browsers aren't sending them these days in an attempt to regain some privacy.

Also it may be worth adding watermarks to the product photos.
Most Valuable Expert 2017
Distinguished Expert 2018

Commented:
Not sure if this was covered in the article but you could redirect all image requests to a script.

The script checks a session variable or cookie to see if the request is coming from someone who loaded the page and if so it just readfile's the image out - if not you can do whatever you want in terms of what you send back.

Something like this

In your site pages you add a session
<?php
...
session_start();
$_SESSION['images'] = 1;

Open in new window

In your verify script you do this
<?php
session_start();
header('Content-type: image/png');
if (isset($_SESSION['image'])) {
	readfile($_GET['img']);
}
else {
	readfile('images/no_hotlink.gif');
}

Open in new window

In your .htaccess you implement a rule to redirect all image requests to your verify script.

Working sample here
David FavorFractional CTO
Distinguished Expert 2018

Commented:
Julian's PHP works well + involves PHP, so can cause problems for high traffic sites.

For high traffic sites, use the following in either your .htaccess file or Apache VirtualHost config stanza...

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)your-site-here.com/.*$ [NC]
RewriteRule \.(gif|jpg|jpeg|bmp|zip|rar|mp3|flv|swf|xml|php|png|css|pdf)$ - [F]

Open in new window


Add in any additional file extensions, like .mp4 + .mkv or any other heavy weight files anyone might hotlink.
How to Generate Services Revenue the Easiest Way

This Tuesday! Learn key insights about modern cyber protection services & gain practical strategies to skyrocket business:

- What it takes to build a cloud service portfolio
- How to determine which services will help your unique business grow
- Various use-cases and examples

Author

Commented:
David Favor:  How would we replace the image with a new image?
Most Valuable Expert 2017
Distinguished Expert 2018
Commented:
@DavidF the purpose of the code was to provide an alternative to a REFERRER based solution.

@DavidB: If you want to send back a different image then just do this

(From the following link https://mediatemple.net/community/products/dv/204644230/prevent-hotlinking-with-a-htaccess-file)
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)example.com/.*$ [NC]
RewriteRule \.(gif|jpg)$ http://www.example.com/angryman.gif [R,L]

Open in new window


The example given by DavidF is in this article as well so you can mix and match as required.

Author

Commented:
Thank you.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial