What is Hotlinking?

hotlinking

Hotlinking is known as the act of stealing someone’s bandwidth by linking directly to their website’s assets (images, videos, etc). For example, let’s say the owner of website A is hosting a particular image on their server. The owner of website B sees that image and decides he wants it featured on his website as well. However, instead of downloading the image and hosting it on his own server, the owner of website B links directly to website A’s domain. Therefore, instead of linking to the image via their own domain such as:

  • https://websiteB.com/path/to/image.jpg

They would be instead using website A’s domain:

  • https://websiteA.com/path/to/image.jpg

Hotlinking someone’s website assets can vastly increase their hosting costs. This article will highlight ways you can avoid hotlinking another website’s assets if you are a web user and how to protect against hotlinking if you are a website owner.

How to Avoid Hotlinking

As a website user you should always try to avoid hotlinking assets from other websites. Doing so helps ensure that the original owner of the asset won’t incur unnecessary charges and that the asset that you link to won’t be unaccessible given that the owner implements hotlink protection or removes the asset. The following are a couple of solutions for avoiding hotlinking.

  • Host the assets on your own server. If you have found an image from another website and you would like to use it on your own website, you can upload the image directly to your server and deliver it from there. Doing this will also increase the delivery speed of the asset as the browser does not need to perform an additional DNS lookup.
  • Use a third party host. Using images as an example again, if you find an image that you want to link to but don’t have a server to upload it to, you can use a third party host. An image hosting service such as imgur for example will allow you to upload your image and link to it directly within your website or any other location.

In both cases, ensure that you have the proper authority to use someone else’s assets (i.e. the owner has given you permission, the asset is part of a creative commons license, etc.)

Hotlink Protection via the Origin Server

If an image on your website is being referenced somewhere else, thus consuming your bandwidth, you can implement hotlink protection. This allows only specific referrers to access your assets. The following sections shows how to achieve this protection both with Nginx and Apache.

Nginx

The first line of the following Nginx snippet defines which file extensions are protected from hotlinking. The next line defines which websites are allowed to link to these file types. This must always include your website domain as well as any other domains which require access. Any website that is not defined in the snippet below will receive a 403 error upon trying to refer your assets.

location ~ .(gif|png|jpe?g)$ {
     valid_referers none blocked .yourwebsite.com;
     if ($invalid_referer) {
        return   403;
    }
}

A particular directory can also be protected from hotlinking. In the snippet below we have defined the /media/ directory and have set the allowed referrers to solely .yourwebsite.com (the period before the domain means that all subdomains are also included)

location /media/ {
     valid_referers none blocked .yourwebsite.com;
     if ($invalid_referer) {
        return   403;
    }
}

Apache

For Apache users, hotlink protection can be defined within the .htaccess file. The example below takes a different approach in that you can explicitly define which domains you don’t want to be able to refer your assets. Therefore, all domains within this list will receive a 403 forbidden error while any domain not on the list will be able to access the assets as expected.

RewriteCond %{HTTP_REFERER} unwanteddomain\.com [NC,OR]
RewriteCond %{HTTP_REFERER} unwanteddomain2\.com
RewriteRule .* - [F]

Additionally, you can use a hotlink protection tool to generate an .htaccess file with the hotlink protection setting of your choice. With this tool, simply define the allowed domains, wether you want to allow blank referrers or not, and the file extensions you want to protect.

Hotlink Protection With a CDN

Certain CDNs also provide hotlink protection for their users. KeyCDN for example has a feature called Zonereferrers which allows users to restrict HTTP referrers. This is an easy and convenient way to ensure websites aren’t using your CDN traffic to embed your assets on their website.

keycdn zonereferrer

This feature can be easily implemented by navigating to the Zonereferrers tab in the KeyCDN dashboard and defining which domains should be allowed to refer to your assets. Once this is complete, simply use the HTTP Check tool to ensure that you have properly set up your zonereferrers and are receiving expected responses.