[Httpd Wiki] Update of "Recipes/DisableImageHotLinking" by megaspaz

[Apache Wiki <wi...@apache.org>]

Dear Wiki user,

You have subscribed to a wiki page or wiki category on "Httpd Wiki" for change notification.

The following page has been changed by megaspaz:
http://wiki.apache.org/httpd/Recipes/DisableImageHotLinking

The comment on the change is:
New recipe

New page:
= Disable Image Hot Linking =

In this How-To guide, we will show you how to disable image hot linking using two methods:

==== Using mod_rewrite ====

{{{RewriteEngine on
RewriteCond %{HTTP_REFERER} !=""
RewriteCond %{HTTP_REFERER} !example\.com [NC]
RewriteRule \.(jpe?g|gif|png)$ - [F,NC]
}}}

This rewrite rule will throw a forbidden if the referer isn't your domain. All png, jpeg, and gif images will not be shown in the web page that is hot linking to your images.

==== Using SetEnvIfNoCase and FilesMatch ====

{{{SetEnvIfNoCase Referer "example\.com" local_ref=1
 
<FilesMatch "\.(jpe?g|gif|png)$">
  Order Allow,Deny
  Allow from env=local_ref
</FilesMatch>
}}}

This first checks the referer and sets a local environment variable if the referer contains your domain. The !FilesMatch then matches the request for jpep, png, and gif files. If there's a match in the filename, then accessed is only allowed if the local environment variable is set.[[BR]][[BR]]

In both methods, you might want to add patterns to the referer checks since there might be more ways your site will be accessed by - localhost for localhost testing, IP address, LAN hostname, etc.
[[BR]][[BR]]
The same holds true for the file extension match. For any other kind of resources you would like to protect, add their file extensions to the file extension pattern.
[[BR]][[BR]]
You should note that there really is no way to keep everyone from stealing your images/bandwidth. If someone really wants to hot link to your resources, they will. Checking the referer value is not reliable. Anyone can send whatever referer value they want... provided they know how.