Attention! Helicon Tech Blog has moved to

Friday, March 6, 2009

Strong hotlink protection with Helicon Ape mod_hotlink module

Hello everyone!
We are happy to inform you that Helicon Ape and newer may boast additional functionality and especially mod_hotlink module. And for you to feel its power we offer a brief overview reinforced by real practical examples.

mod_hotlink module is aimed at protecting your web server from people stealing your traffic by directly linking to the content on your server. This is especially important for those having image, video, documents archives and other downloadable content.

After enabling mod_hotlink your site will work as if nothing happened, all search engines and backward links will still be valid, all user’s favorites will remain working. But if someone tries to embed your stuff directly on their site, they will only see an error message or your site’s logo. You can save tons of traffic and thus money. You can even turn these hotlinks into real visitors by redirecting hotlink request to your site’s homepage.

Protection methods

mod_hotlink offers three protection methods each having it's advantages and peculiarities:
LINK: This is the most comprehensive and powerful protection method. In this mode mod_hotlink edits each link to protected content on your site by adding special cryptographic signature. You specify expiration time for the signature on the expiry of which link becomes invalid (e.g. 30 minutes after it was requested). LINK method is not sensitive to HTTP Referer modifications, disabled cookies or JavaScripts in user’s browsers. mod_hotlink is capable of protecting any file types including streaming media and embedded content.
REFERER: Simply checks HTTP Referer header and rejects all requests to the protected content from unknown sites. You may use white and black lists based on Referer and User-Agent values to allow friendly sites requests and protect against some ugly hacks. This method does not require any configuration or modification to your site and is a convenient way to protect image archives.
REDIRECT: Checks Referer header value but performs a redirect to a temporary signed link instead of returning content. It may be difficult to understand the theory of this method, but the only thing you need to know is that it provides moderate protection level to preserve some embedded content that cannot be protected by REFERER method - content like PDF files, Flash and Media Player movies, audio and so on. Just as in the previous method you don’t have to change anything - just enable mod_hotlink and specify a protection folder.


Enough of theory and it's time for examples we've promised before. Following are examples for each protection method with thorough explanation.

1. Referer protection method

The task is to protect all images from hotlinking; allow referers from your own site and empty referers.
The solution using mod_rewrite is:
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^https?://(?:www\.)? [NC]
RewriteRule \.(jpg|jpeg|png|gif)$ - [NC,F]
The same solution using mod_hotlink looks like:
<FilesMatch \.(jpg|jpeg|png|gif)$>
  HotlinkProtect / [Referer]
  HotlinkAllow Referer ^$
  HotlinkAllow Referer ^https?://(?:www\.)?
How it works:
When a browser makes a request, it passes Referer header that shows the URL of the page with the requested resource.
Say you have a page default.html on your site and there's also a link <a href=”/img/picture.gif”>picture</a>. If you click on this link, the browser generates the following request:
GET /img/picture.gif HTTP/1.1
Note! If you directly put the address of the resource into the browser address bar (e.g., Referer header is not passed.
  • Referer header value is verified for specified file types, i.e. jpg|jpeg|png|gif.
  • HotlinkAllow Referer ^$ – allows access if Referer header is empty or missing.
  • HotlinkAllow Referer ^http(s)?://(www\.)? – allows access if Referer header starts with your domain name.
  • All others will get "403 Forbidden" for this request.

2. Redirect protection method

Redirect method is usually used to protect .pdf and .swf files as Internet Explorer sets incorrect Referer header for such files when the user clicks "Save As…"
<FilesMatch \.(?:pdf|swf)$ >
  HotlinkSignature password
  HotlinkProtect / [Redirect]
  HotlinkAllow Referer ^$
  HotlinkAllow  Referer ^https?://(?:www\.)?
How it works:
  • The user requests the page (e.g. default.html). This page has a tag <a href="/doc/test.pdf">pdf</a>.
  • The browser requests and passes Referer
  • mod_hotlink checks the rules (given above).
  • HotlinkAllow Referer ^http(s)?://(www\.)? – allows further procesing.
  • Instead of granting direct access to test.pdf mod_hotlink performs redirect to a dynamically generated address
  • Browser requests
  • mod_hotlink verifies signature validity and then grants access to test.pdf.
All this stuff is necessary to bypass noncompliance of some browsers with the standards (especially this refers to Internet Explorer) as they sometimes don't set Referer header for successive requests to the same resource.

3. Link protection method

Link protection is completely independent on Referer header. But it requires manual links correction on pages.
For this example we need the following files in the root of the site:
  • default.html
  • .htaccess
  • test.pdf
default.html page should have the following tag:
<object  data='xxxxxxxxxxxxxxxx/test.pdf' type='application/pdf' > </object>
.htaccess must be configured as follows:
SetEnv mod_hotlink
HotlinkSignature password
<Files *.pdf>
  HotlinkProtect / [Link]
When the user requests default.html mod_hotlink replaces Xs in the tag with specifically generated sequence:
<object data='90f630427786fd84/test.pdf' type='application/pdf'> </object>
How it works:
  • The user requests the page (e.g. default.html).
  • mod_hotlink replaces xxxxxxxxxxxxxxxx in the tag with dynamically generated signature.
  • The browser finds the tag <object data='90f630427786fd84/test.pdf' type='application/pdf' > </object> and makes a subrequest http:// (no matter Referer is passed or not).
  • mod_hotlink verifies signature validity and then grants access to test.pdf.
Well, that's all for today. Hope you've got some understnding of mod_hotlink capabilities and see what you can apply them to. Looking forward to your comments after first steps with mod_hotlink. Don't give leechers a single chance!

Best regards,
HeliconTech Team


  1. Hey is there any way that if the person who is hot-linking you, their users get re-directed to your site.

    I have this site but I want the competitors to take a bunch of stuff then when they take enough, I plan on switching on this code then BAM instant customers.

  2. Sure, it's possible. Here's the code for mod_hotlink in Helicon Ape:

    <FilesMatch \.(jpg|jpeg|png|gif)$>
    HotlinkType Referer
    HotlinkAllow Referer ^$
    HotlinkAllow Referer ^https?://(?:www\.)?

    And here's the syntax for ISAPI_Rewrite3:

    RewriteEngine on
    RewriteCond %{HTTP_REFERER} !^$
    RewriteCond %{HTTP_REFERER} !^https?://(?:www\.)? [NC]
    RewriteRule \.(jpg|jpeg|png|gif)$ [NC,R,L]

  3. ok that did not work, it stops the access to my content which I already have. but it does not send them to my homepage.

  4. Hi, Mr.Pro.
    We'd love to help you, so let's move our discussion to our support forum. Please create new post in the appropriate forum and give a thorough description of your needs.

  5. alright I started one. thanks!