[documentation] [feature] Prevent hotlinking

Morbus Iff drupal-docs at drupal.org
Wed Dec 21 17:09:19 UTC 2005 

Issue status update for 
http://drupal.org/node/24963
Post a follow up: 
http://drupal.org/project/comments/add/24963

-Project:      Drupal
+Project:      Documentation
 Version:      <none>
-Component:    base system
+Component:    User Guide
 Category:     feature requests
 Priority:     minor
 Assigned to:  Anonymous
 Reported by:  crackerjackmack at evilsquid.net
 Updated by:   Morbus Iff
 Status:       active

I'll be more than happy to review crackerjack's submitted documentation
page. Let us know when you've submitted it.




Morbus Iff



Previous comments:
------------------------------------------------------------------------

Tue, 14 Jun 2005 03:35:51 +0000 : crackerjackmack at evilsquid.net

While lacking proper documentation, this set of mod_rewrite rules is
useful to prevent hotlinking on drupal based sites.  It supports both
public and private file download methods so people cannot "hotlink"
images, movies or the like.  


It is something very useful that I would like to see added to the
.htaccess file since there are some very big sites starting to use
drupal, this might come in handy as a "ready to go" feature.  It does
not require any specific location in the mod-rewrite IF block.  I am
currently using it on http://evilsquid.net (my own site) and have not
had any issues thus far with it.  Feel free to take some of my words to
make the documentation of it more clear for the general public.


You can go even further by removing the  RewriteCond   
%{HTTP_REFERER} !^$ to make images only viewable from your website. 
Good, but can have problems and recorse on certian sites.  While
tempting, that option should not be commented out without properly
analyzing your network traffic.  


I did not write any documentation as I can have trouble with words and
explaining myself.  I know words and things of the like, but
communicating them to my fingers is another story all together. 
Hopefully someone with more tact and skill will write verbose, easy to
understand comments for the general user base.


  # Prevent hotlinking
  RewriteCond    %{REQUEST_FILENAME} \.(gif|jpe?g|png)$ [NC,OR]
  RewriteCond    %{QUERY_STRING} \.(gif|jpe?g|png)$ [NC]
  RewriteCond    %{HTTP_REFERER} !^$
  RewriteCond    %{HTTP_REFERER}
!^http://([a-z0-9]+\.)?yourdomain\.here [NC]
  RewriteCond    %{HTTP_REFERER} !^http://([a-z0-9]+\.)?google\.com
[NC]
  RewriteRule    (.*) - [F,L]


Dibs to
http://underscorebleach.net/jotsheet/2004/06/htaccess-prevent-hotlinking
for giving me a starting point.




------------------------------------------------------------------------

Thu, 01 Dec 2005 13:40:58 +0000 : Morbus Iff

Won't fix. This has nothing to do with Drupal, and is standard website
administration. And some people, believe it or not, want to maintain
the spirit of the web (preventing image hotlinking is nothing more than
a rabid Ticketmaster running around suing for deep links).




------------------------------------------------------------------------

Wed, 21 Dec 2005 16:46:19 +0000 : crackerjackmack at evilsquid.net

While it maybe your view to promote the spirit of the web, I've had many
requests for code to prevent hot linking.  I've done a lot of testing to
ensure that this code works with drupal.  Because I've had quite a few
requests for it, I believed that it would be useful to the community
and should be include with drupal core.


Take this (true) example.  A female model competition site had hosting
with a company on a shared hosting plan.  They were given a notice that
if they did not take measures to prevent hot linking their hosting would
be in terminated per the AUP that was in place with that hosting
company.  Regardless if they believed in the spirit of the web,
transfering to a new server, takes time.  Maybe they only need to
impliment hotlinking for a few days while they transfered their data to
a new hosting provider, and maybe they just hate leeches and left it up
for the remainder of the site's existience.  Either way, they asked for
this snip of code and I provided it.


I believe, that while you may or may not agree with a view point, it
doesn't mean you should deprive users of choices.  I believe in choice,
despite the /true/ existince of it.  I believe that my viewpoints are
void when people are given a choice.  We could get into a deep debate
about all of that, but I shall try to spare everyone.


I think as a comprimise, there should be a hotlinking.txt file with a
speach about how much you disagree with hotlinking, and then at the
bottom, have this snippet of code.  While still providing the choice to
users as to whether or not they wish to read your speach, or even use
the code.  I do not suggest that it be in drupal core .htaccess
uncommented by default.  I don't agree with that at all and not what I
was suggesting in the slightest.  I just wanted to have working,
drupal-safe, ModRewrite code that was available to the community and
not locked up in my private collection of patches and hacks.  I've done
some tests and I believe it will work with almost any configuration of
drupal, thus, I believe it is relavent to drupal.  Besides, most
"copy-n-paste" ModRewrites do not work with drupal, and is why I worked
this one out.


I don't mean to offend and I definantly wasn't asking for a plug.  I
just wanted the code included as a choice for everyone is all.  Nothing
personal, I don't honestly use it or want to use it.  I *had* it running
on my website as an example only and really have no use for it
otherwise.




------------------------------------------------------------------------

Wed, 21 Dec 2005 17:06:38 +0000 : killes at www.drop.org

While I agree that the posted code seems usefull for certain cases I
doubt it will be included in Drupal core as it isn't really useful for
most sites. Maybe it should be posted somewhere here on the site in the
tips&tricks section.

More information about the documentation mailing list