scriptygoddess

07 May, 2002

Protect your images with .htaccess

Posted by: amy In: How to's

.htaccess files are lovely, lovely things. They do exactly what the name implies: control access to your files. About six months ago, I had problems with a bunch of l33t brats 'borrowing' my bandwidth and using a few of my photos on message boards.

So I decided to take their toy away.

A lovely thing about .htaccess files: if you place them in a directory, the conditions and permissions you set up affect all subfolders of that folder. So, if you want to protect all your images, just drop a single .htaccess file in your main images directory, and all subfolders are taken care of.

Here's the code that I'm using for my .htaccess file:

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://YOURSITE.COM/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://WWW.YOURSITE.COM/.*$ [NC]
ReWriteRule .*\.(gif|jpg)$ – [N,F,L]

It's a good idea to do both yoursite.com and www.yoursite.com. Also, if you know of any other sites that you want to allow to use your images, be sure to add in a line for them in this file.

If the http_referer doesn't match one of the strings you've provided in those lines, the image request will result in a 403 error.

To use this code on your site…

Make sure you can see hidden files (files beginning with a .) with your FTP client. (It's really hard to edit or delete files you can't see.) Paste these lines into a blank text document, save it as .htaccess, and upload it to your images directory.

That should be all!

49 Responses to "Protect your images with .htaccess"

1 | Thor

May 7th, 2002 at 2:02 pm

Avatar

Don't forget to put in the IP address as well. Sometimes search engines cache the IP and you can lose people that way. Also you can do it directly in the apache config. It's easy if you're using virt hosts. I can dig that up if you want to see it. Also in the same .htaccess you can config an error doc for 403 so they don't get the standard error but an reason why they're getting the error which is usually a good practice to follow.

2 | Thor

May 7th, 2002 at 2:10 pm

Avatar

Oh yeah, this stuff only works on Apache when the mod_rewrite module is installed. Not all ISP's install mod_rewrite by default. If you do a phpinfo() you can see if it's unstalled under the Loaded Modules in the Apache section.

3 | Amy

May 7th, 2002 at 2:16 pm

Avatar

Really? That's pretty interesting — maybe I've just had the good fortune of dealing with good, geeky ISPs. I've come to take it for granted that I'd have access to the goodies of mod_rewrite…

4 | Catherine

May 7th, 2002 at 6:15 pm

Avatar

Thank you so much Amy, I can definitely use this. I also thought I would mention another line that can be placed in the .htaccess file that will not allow any of the images to be listed (or anything in a specific directory for that matter) in which you do not have a index file.

IndexIgnore *

This way if someone was to snoop in my image file they would see this rather than a complete listing of all the images I may have listed in that file. Make sense?

5 | Catherine

May 7th, 2002 at 6:16 pm

Avatar

Thank you so much Amy, I can definitely use this. I also thought I would mention another line that can be placed in the .htaccess file that will not allow any of the images to be listed (or anything in a specific directory for that matter) in which you do not have a index file.

IndexIgnore *

This way if someone was to snoop in my image file they would see this rather than a complete listing of all the images I may have listed in that file. Make sense?

6 | Row

May 7th, 2002 at 9:14 pm

Avatar

.htaccess is a marvellous thing, indeed.

I am looking forward to a forum of sorts. Often I'm too shy to request things!

And I was wondering, have you thought of inviting Jade to be a goddess? She's one of my personal favourite php queens, and I'm sure she'd love to be asked.

7 | Gina

May 7th, 2002 at 11:21 pm

Avatar

Question.. say I have a subfolder names pictures, do I put the .htaccess with the code above in that folder? I already have a .htaccess in use and put this code in above, saved and came up with an Internal Error. I fixed it by taking the code back out. So it was no biggie, but wanted to ask and make sure I'm reading this post correctly. Thank you :)

8 | Christine

May 7th, 2002 at 11:28 pm

Avatar

Can you include multiple lines in one file? For example, I have two sites – http://www.BlahBlahBlog.com and http://www.pixelwannabe.com/pixelog/ – and I pull images from the Pixelog site in to display on BlahBlahBlog (with a PHP include, thanks to you teaching me how to do them last fall!) I want to make sure that *I* can still pull those pictures across, but no one else can.

9 | Amy (domesticat)

May 8th, 2002 at 12:22 am

Avatar

Gina:
All I know to tell you is to watch your cut-and-paste very carefully. The code I pasted in is a direct copy from my current .htaccess file, with 'domesticat.net' changed to 'yoursite.com' .

Christine:
Copy the third line of the code listed above. Just duplicate that line, and edit it so that each site you want to *allow* is listed. (Don't forget both with and without the 'www.') That should do it for you – try it out.

Everyone:
I'm going on vacation as of tomorrow morning, and will be afk for a few days. I probably won't be able to check back in again before Sunday.

10 | Promo

May 8th, 2002 at 2:05 pm

Avatar

Oh what a cool tweak! Thanks!

11 | Phillip Harrington

May 10th, 2002 at 11:11 pm

Avatar

Thank you for calling attention to a very powerful, but little known feature in Apache. I use .htaccess for all kinds of wackiness, especially in conjunction with mod_rewrite.

12 | Gina

May 14th, 2002 at 8:02 pm

Avatar

Amy,

I tried this again, and it worked like a charm. When I copy/pasted the code into my .htaccess, it placed it wrong on the page. So I corrected that and it's all set. :)

This is a great thing! Thanks you

13 | kristine

May 17th, 2002 at 9:41 am

Avatar

I'm coming back to this post because I've got a couple direct linkers and want to implement it this afternoon.

My question is – I also have a couple of images that I really do want to show up on different domains. For example, when I post on the pixelitas boards, I have several of my linkback graphics showing up under my signiture… and I put up an image here on the css skin for linkback that's hosted on my site. And I'm sharing 4 domains between my site, so I'd want to let all them to use my images. And some stuff like that…..

So I just list all of my domains that I allow to view my images in that script, right? They don't have to be on my IP address for this to work? I'm pretty sure thats what the tutorial means it can do… :)

cooooool! :) I'm gonna try this out, and I'll post back and let ya know how it went :)

14 | Amy

May 17th, 2002 at 10:05 am

Avatar

Ok. First up, I'd set up two-line 'allow' for each of your domains:

RewriteCond %{HTTP_REFERER} !^http://site1.com/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://www.site1.com/.*$ [NC]

There are two ways to handle the linkback graphics. First, you could 'allow' from your sites and pixelitas — that's the easiest way for the time being.

There's another solution you might want to consider, though. I actually ran into this sort of problem with ezboards. I had a couple of images I wanted to make available on ezboards, but they were also one of my worst sources of direct linkers. I couldn't just let them have access to all my stuff, because it was killing my bandwidth. What I ended up doing was putting a .htaccess file in my main images directory, and creating a separate public_images directory with no .htaccess file.

/public_images/ on cat.net is the place where I drop files that I don't mind other people linking to, such as linkback images and personal icons for web boards and the like.

The linkback images you've got…chances are, if you want to protect most of your images and not those, you'll have to do a bit of shifting around. If there's a way to selectively UNprotect files with .htaccess, it's news to me…

15 | Simply Sara

May 26th, 2002 at 11:14 am

Avatar

Thank you so much for this! :)

16 | illona

July 8th, 2002 at 9:31 am

Avatar

Ello, I came across this place while desperately looking for an answer to an .htaccess question.

I have a hta file in my images folder, as above, to protect my images, and it's bliss.

However, I have a java applet for my image gallery to show my images and the applet doesn't seem to like it. Any ideas? I really don't want to un-hta the images folder, I'd be back to square one.

17 | Kristen

July 16th, 2002 at 8:50 am

Avatar

ok – i'm having some trouble with this. when i drop this code into a .htaccess file and put it into my pictures directory, some pictures no longer show up on my weblog. i don't understand why since my pictures directory and my weblog are both running on the same domain. any tips?

18 | illona

July 19th, 2002 at 2:52 pm

Avatar

Kristen, you might be having a similar problem to me. I have a cgi script that runs my image galleries and it doesn't like htaccess at all. If I come up with an answer I'll make sure I'll post it here 😉
illona
x

19 | illona

July 19th, 2002 at 2:56 pm

Avatar

ooh ooh, I forgot to add, if you have hta's in any directorys 'above' – it will process those first. i.e. it'll move down through file tree and process each one it comes across. I'm just deleting my hta's above my image folder now to see whether that has a difference.

If you're on a shared server, make sure you add:

RewriteRule /* http://www.yoursite.com [L,R]

– so that the server knows who 'you are' before it commences processing.

~disappears in a mist of hta~

ills
xxx

20 | rick

July 25th, 2002 at 1:59 am

Avatar

I would like to know how to limit access to a certain page of mine to only those people coming from a specific page from another website. I believe that I can do this with .htaccess but need to know how. I'm not looking to Password protect my page, just limit it's access to a specific referring URL. Can anyone help? Thanks.

21 | Jennifer

July 25th, 2002 at 8:06 am

Avatar

I'm still very much a newbie when it comes to htaccess, but I can think of a quick and dirty way with php to do it. On the link from the other page have it pass a variable into the url… for example: http://www.theotherpage.com/page.php?caniseeit=yes

then on your page you check to see if the caniseeit variable is set (and is set correctly) then display the page, otherwise dont.

If you want more specifics (ie. the specific code that goes on your page), let me know

22 | karl

August 1st, 2002 at 1:47 pm

Avatar

I would prefer to have a rule which permits to authorize all, except the ones I have blacklisted.

there are some domains who are using forum and put images in it, etc. but I don't mind if Google indexes my images or if someone is asking me the permission to use one of my image.

23 | Rickster

August 1st, 2002 at 2:13 pm

Avatar

For Jennifer, on July 25th you responded to my post of the same day. I still am unable to do what I was trying to do as stated in my post and really need some help. Will you write me directly please and I'll give you all the info on what I am trying to do. If another coder here on the board wants to elp as well, please write. Thank you to all.

24 | Anonymous

September 19th, 2002 at 4:53 pm

Avatar

Karl to maintain a blacklist you could do this:

RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} ^http://siteidontlike.com/.*$
ReWriteRule .*\.(gif|jpg)$ – [N,F,L]

Note the lack of the ! in the referer you don't like.

Good luck,
Phillip

25 | Robbert-Jan

January 21st, 2003 at 11:51 am

Avatar

Does someone know how to serve up a different image saying "visit my site at http://www.blah.com" instead of serving up nothing?

Or is someone able to give me a hint?

26 | suebailey

February 19th, 2003 at 9:13 am

Avatar

If you don't have mod_rewrite, you can do this instead:
SetEnvIfNoCase Referer "^http://www.yourdomain.com/" allowed=1
SetEnvIfNoCase Referer "^http://yourdomain.com/" allowed=1
SetEnvIfNoCase Referer "^$" allowed=1
<FilesMatch "\.(gif|png|jpe?g)$">
Order Allow,Deny
Allow from env=allowed
</FilesMatch>

27 | rebecca

March 11th, 2003 at 12:33 am

Avatar

i've been having troubles with direct linkers for a while now – mainly with sprites i have adopted being used as images on forums and stuff. i had heard you can block sites with .htaccess but i wanted to know exactly how – this is really great – thanks. i am gonna add it to my site when i update next. i also plan to browse this site some more to see what other cool stuff you have. :)

29 | Alexander Wigen

October 17th, 2003 at 9:33 pm

Avatar

I used this .htacces to allow links to ceirtan filetypes, so it's possible for external docs to link to my php files in the same directory as the images, but not to the images.

SetEnvIfNoCase Referer "^http://www.yourdomain.net/" allowed=1
SetEnvIfNoCase Referer "^http://yourdomain.net/" allowed=1
SetEnvIfNoCase Referer "^$" allowed=1

Order Allow,Deny
Allow from env=allowed

<Files "*.php">
Order Allow,Deny
Allow from all
</Files>

30 | Farhan Lalji

February 5th, 2004 at 4:59 am

Avatar

If you can't see .htaccess files, you can upload and overwrite by uploading blank .htaccess files to remove any authentication scripting you may have set up.

31 | Celeste

February 19th, 2004 at 5:31 am

Avatar

OK.. I've almost gotten it to block direct linking on every site except the ones I want it to. However, on my LiveJournal userinfo page, it doesn't seem to want to work. When I add the URL (http://www.livejournal.com/userinfo.bml?user=starsprinkles) to the .htaccess, it still doesn't allow direct linking — but it does in the journal itself so it's not LJ as a whole. I was thinking maybe since the userinfo is a .bml that has something to do with it? I'm not at all familiar with .bml so I have no clue, that was just the only thing I could think of.

Anyway, I was thinking for a solution I would just do the public images folder thing. However, I'm unsure as to how to do that if the .htaccess works from the top down. Will I have to put a separate .htaccess in every folder for this to work, or can I have the main .htaccess block direct linking but have a folder that allows it?

32 | Bobby Duplex

February 21st, 2004 at 4:32 pm

Avatar

Hi,
perhaps I'm thick or summat but I have the module installed and I have put in the .htaccess file as described but none of my images are displayed.

Anybody got an idea what I'm doing wrong

33 | Bobby Duplex

February 22nd, 2004 at 12:21 pm

Avatar

Hi, I fixed that problem but I have found that if you refresh the page the images do not appear. any clues?

34 | JDO

May 1st, 2004 at 12:41 pm

Avatar

Just to let you know and be aware, anyone can easily get around this by using PHP, or something else to modify the HTTP request to set the 'Referer' header line to whatever they want. For example, if someone created a HTTP request to your website that had this in the header area:

Referer: http://YOURSITE.COM/

HTTP_REFERER would be set to that, even if it did not come from you.

35 | alexis

May 7th, 2004 at 8:45 pm

Avatar

hi
i created a site with basic html and java knowledge. i use earthlink hosting and i want to know how or were can i learn about .htaccess files

36 | tray

June 28th, 2004 at 4:35 pm

Avatar

I've seen .htacess codes where you can replace the image they are trying to direct link with another image. How can this be done?

37 | tray

June 28th, 2004 at 4:36 pm

Avatar

I've seen .htaccess codes where you can replace the image they are trying to direct link with another image. How can this be done?

38 | Tek

June 29th, 2004 at 3:23 pm

Avatar

RewriteRule .*\.(gif|jpg|jpeg|bmp)$ http://www.YOURSITE.COM/PATHTO/ALTERNATEIMAGE.jpg [R,NC]

39 | tray

July 3rd, 2004 at 2:47 pm

Avatar

Thanks so much! I've tested it out, and for some reason the alternative image isn't showing up, however it does stop the images from being hot linked. I'm not sure if it has anything to do with it, but instead of placing the .htaccess file in the root directory, I placed it in a certain folder/directory in which I had the most trouble with ppl direct linking images from. It does fix the main problem and I'm happy about that. I just wish the alternative image would show up because it would be too funny! *giggle*

40 | tray

July 3rd, 2004 at 2:50 pm

Avatar

whoops I have another problem now. Now the images aren't showing up on my own site. :-S

41 | Tek

July 4th, 2004 at 8:13 am

Avatar

I see images. Are you still having a problem?

42 | cart

August 3rd, 2004 at 8:09 pm

Avatar

could this .htaccess protect zip file too? or image only?
how should i write .httaccess to protect from hotlinking to zip file?
thanks a lot :)

43 | tray

August 4th, 2004 at 4:26 pm

Avatar

I put the .htaccess file in a certain directory where I had the most trouble with ppl direct linking like my smilies and pixel adoptions. So, only where those images were the ones that weren't showing up. But I finally realised that for some reason, when I had my internet security enabled is when they wouldn't show up. Yet, when I would disable it they would show up. I really don't know why.. maybe something to do with cookies because it happens quite often with other sites images as well. But thank you for trying to help! :)

44 | tray

August 4th, 2004 at 4:29 pm

Avatar

cart, I'm not exactly sure but maybe you can try this:

ReWriteRule .*\.(gif|jpg|zip)$ – [N,F,L]

45 | cart

August 12th, 2004 at 12:13 pm

Avatar

thank a lot tray :)
i'll put the code.
now, how i know they can't hotlink to the file?
can i test with put the url on the address like: http://www.site.com/file.zip ?
or… ?
can tell me how i can test it?
thanks :)

46 | andy

August 24th, 2004 at 5:09 am

Avatar

Thank you very much for this piece of code! 😀

47 | tray

September 10th, 2004 at 12:40 am

Avatar

cart, you're welcome! I'm not so sure how you can test it out. I had actually wondered the same thing and the only way my pea brain could thing of was to test it out by direct linking to one of my protected images from a forum that I had joined (like sometimes you can direct link your own images, avatars, buttons). But maybe there is a simpler way of testing it. You could possibly be able to create your own html file linking to the file, save it to your desktop and opening it. Make sure you're connected to the internet of course. Sorry if I wasn't much help. :)

48 | P

October 28th, 2004 at 5:00 pm

Avatar

this thread may be over two years old but it's been a lifesaver to me! lately, a third of my bandwidth has been leeched by LiveJournal twirps who have been direct linking to some of my pictures for their LJ background images. i created and uploaded this .htaccess file in five minutes and the problem was solved. thank you so much!!!

49 | minus

December 29th, 2004 at 2:46 am

Avatar

everytime i do this it will not even allow my site to get the links and if i put it in the main directory it wont even allow me to load my site.. any suggestions?

Featured Sponsors

Genesis Framework for WordPress

Advertise Here


  • Scott: Just moved changed the site URL as WP's installed in a subfolder. Cookie clearance worked for me. Thanks!
  • Stephen Lareau: Hi great blog thanks. Just thought I would add that it helps to put target = like this:1-800-555-1212 and
  • Cord Blomquist: Jennifer, you may want to check out tp2wp.com, a new service my company just launched that converts TypePad and Movable Type export files into WordPre

About


Advertisements