What is Hotlinking?


Hotlinking is known as the act of stealing someone’s bandwidth by linking directly to their website’s assets (images, videos, etc). For example, let’s say the owner of website A is hosting a particular image on their server. The owner of website B sees that image and decides he wants it featured on his website as well. However, instead of downloading the image and hosting it on his own server, the owner of website B links directly to website A’s domain. Therefore, instead of linking to the image via their own domain such as:

  • https://websiteB.com/path/to/image.jpg

They would be instead using website A’s domain:

  • https://websiteA.com/path/to/image.jpg

Hotlinking someone’s website assets can vastly increase their hosting costs. This article will highlight ways you can avoid hotlinking another website’s assets if you are a web user and how to protect against hotlinking if you are a website owner.

How to Avoid Hotlinking

As a website user you should always try to avoid hotlinking assets from other websites. Doing so helps ensure that the original owner of the asset won’t incur unnecessary charges and that the asset that you link to won’t be unaccessible given that the owner implements hotlink protection or removes the asset. The following are a couple of solutions for avoiding hotlinking.

  • Host the assets on your own server. If you have found an image from another website and you would like to use it on your own website, you can upload the image directly to your server and deliver it from there. Doing this will also increase the delivery speed of the asset as the browser does not need to perform an additional DNS lookup.
  • Use a third party host. Using images as an example again, if you find an image that you want to link to but don’t have a server to upload it to, you can use a third party host. An image hosting service such as imgur for example will allow you to upload your image and link to it directly within your website or any other location.

In both cases, ensure that you have the proper authority to use someone else’s assets (i.e. the owner has given you permission, the asset is part of a creative commons license, etc.)

Hotlink Protection via the Origin Server

If an image on your website is being referenced somewhere else, thus consuming your bandwidth, you can implement hotlink protection. This allows only specific referrers to access your assets. The following sections shows how to achieve this protection both with Nginx and Apache.


The first line of the following Nginx snippet defines which file extensions are protected from hotlinking. The next line defines which websites are allowed to link to these file types. This must always include your website domain as well as any other domains which require access. Any website that is not defined in the snippet below will receive a 403 error upon trying to refer your assets.

location ~ .(gif|png|jpe?g)$ {
     valid_referers none blocked .yourwebsite.com;
     if ($invalid_referer) {
        return   403;

A particular directory can also be protected from hotlinking. In the snippet below we have defined the /media/ directory and have set the allowed referrers to solely .yourwebsite.com (the period before the domain means that all subdomains are also included)

location /media/ {
     valid_referers none blocked .yourwebsite.com;
     if ($invalid_referer) {
        return   403;


For Apache users, hotlink protection can be defined within the .htaccess file. The example below takes a different approach in that you can explicitly define which domains you don’t want to be able to refer your assets. Therefore, all domains within this list will receive a 403 forbidden error while any domain not on the list will be able to access the assets as expected.

RewriteCond %{HTTP_REFERER} unwanteddomain\.com [NC,OR]
RewriteCond %{HTTP_REFERER} unwanteddomain2\.com
RewriteRule .* - [F]

Additionally, you can use a hotlink protection tool to generate an .htaccess file with the hotlink protection setting of your choice. With this tool, simply define the allowed domains, wether you want to allow blank referrers or not, and the file extensions you want to protect.

Hotlink Protection With a CDN

Certain CDNs also provide hotlink protection for their users. KeyCDN for example has a feature called Zonereferrers which allows users to restrict HTTP referrers. This is an easy and convenient way to ensure websites aren’t using your CDN traffic to embed your assets on their website.

keycdn zonereferrer

This feature can be easily implemented by navigating to the Zonereferrers tab in the KeyCDN dashboard and defining which domains should be allowed to refer to your assets. Once this is complete, simply use the HTTP Check tool to ensure that you have properly set up your zonereferrers and are receiving expected responses.


    1. Cody

      Hey Donna, to be on the safe side I’d recommend adding search engine bots (e.g. google, bing) to your list of allowed referrers as well. This will ensure that there are no mismatches between the image displayed by the search engine and the image shown when you click the “view image” link in the SERPs.

    1. Cody

      Hey Seth, hotlink protection shouldn’t affect a reader’s ability to pin images to Pinterest, however if a reader tries to visit the image directly via Pinterest they will receive a 403 as the Referrer header will be Pinterest. Unless of course you configure your hotlink protection settings to mark Pinterest as an allowed referrer.

  1. Benjamin Fontanelli

    Hey guys!
    I would like to use this feature as sometimes some people are hotlinking my images on pages with high traffic. In the last two hours I had over 40.000 requests. Now there’s one problem: 10% of my visitors are coming from Google’s image search. If they click now on “Show Image” they get a “403 Forbidden” message. You support *.domain.com wildcards, but I would prefer Google.* as Google has over 30 TLDs of which people request my images. Any suggestions?

Leave a Reply to Cody Click here to cancel reply.