TechQA.

Preventing hotlinking and .htaccess

82 views Asked by At

In Hotlink Protection not working with .htaccess the problem of preventing hotlinking by means of .htaccess directives was discussed, but the answers there do not provide a solution for my problem.

This is my problem:

In https://janis-joplin.servidor-alicante.com/ I have the following .htaccess:

DirectoryIndex index.php index.html index.htm
Options -Indexes

RewriteEngine On

RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://janis-joplin.servidor-alicante.com [NC]
RewriteCond %{HTTP_REFERER} !^https://janis-joplin.servidor-alicante.com [NC]
RewriteCond %{HTTP_REFERER} !^https://(www\.)?google.com [NC]
RewriteCond %{HTTP_REFERER} !^https://(www\.)?facebook.com [NC]
RewriteCond %{HTTP_REFERER} !^https://(www\.)?twitter.com [NC]
RewriteRule \.(gif|jpg|jpeg|bmp|zip|rar|mp3|flv|swf|xml|php|png|css|pdf)$ https://janis-joplin.servidor-alicante.com/_res/janis.jpg [NC,R,L]

RewriteRule ^ads.txt$ ads_tm.php [L]

RewriteRule ^janis-joplin/(.*) /$1 [L]

RewriteCond %{REQUEST_FILENAME} -f [OR]
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule ^(.+) - [PT,L]
RewriteRule ^(.+) index.php?url=$1

In https://jimi-hendrix.servidor-alicante.com/_dev/test.htm I have:

<!doctype html>
<html>
<head>
<meta charset="utf-8">
<title>test</title>
</head>

<body>
<img src="http://janis-joplin.servidor-alicante.com/_photos/wolman.gif">
<img src="https://janis-joplin.servidor-alicante.com/_photos/wolman.gif">
</body>
</html>

But in jimi-hendrix subdomain I can see the images in the janis-joplin subdomain.

What am I doing wrong? TIA

.htaccess hotlinking
Original Q&A
1

There are 1 answers

0
MrWhite On

You need to check the network traffic - HTTP request headers (which you can do in the browser dev tools)... is the Referer header being sent in the request for those images? What is the Referer header set to?

RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://janis-joplin.servidor-alicante.com [NC]
RewriteCond %{HTTP_REFERER} !^https://janis-joplin.servidor-alicante.com [NC]

The Referer header will not be sent (by default) in the first image request, since you are making an HTTP (insecure) request from an HTTPS (secure) page. Default browser behaviour suppresses the Referer header in this instance. You explicitly allow an empty Referer header (first condition above) in your "hotlinking" rule block so you would expect the first image to be displayed. (Realistically, you do need to allow an empty Referer header.)

It's not clear why the second image is displayed (assuming your .htaccess directives are being processed) without looking at the HTTP request headers (and knowing what HTTP Referrer-Policy is set on the referring page).

Related Questions in .HTACCESS

Related Questions in HOTLINKING

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json

Trending Questions