[HOW-TO] Prevent Hotlink in Drupal 6 + Apache

Submitted by BXTra on Tue, 02/15/2011 - 00:37

Category:

As far as I can remember, to prevent hotlink in Drupal is not that easy. If you search website to look for prevent hotlink, you will find a lot of them to use with .htaccess file. But those are not for Drupal. You can't just use it in Drupal .htaccess file, that won't work. However, I have a set of code that work great. Actually, I have this code long time ago but I can't remember where I got it from. Thanks for the guy that provide it. Too bad that I didn't save link at that time.

So, now, here is what we have to do :

Create .htaccess file under "files" directory : (Here, I use old Drupal structure. So, my files directory is just one level down from root web folder.)

nano -w /home/admin/public_html/files/.htaccess

Paste code below into it.

SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006
Options None
Options +FollowSymLinks
# Prevent Hotlink
SetEnvIfNoCase Referer "^$"  local_ref=1
# Next authorized domains
SetEnvIfNoCase Referer "^http://(www\.)?bing\.com" local_ref=1
SetEnvIfNoCase Referer "^http://(www\.)?google\.com" local_ref=1
SetEnvIfNoCase Referer "^http://(www\.)?facebook\.com" local_ref=1
# File extensions that you want to protect
<FilesMatch "\.(bmp|jpe?g|gif|png)">
 Order Allow,Deny
 Allow from env=local_ref
</FilesMatch>

You can allow some websites to do hotlink to your website. Example above, I allow bing.com, google.com and facebook.com to be able to hotlink from my website.

Comments

Frances

Mon, 04/11/2011 - 15:26

Tried using this for my drupal and testing here >> http://www.free-webhosts.com/hotlinking-checker.php if it's working, but the images are still displaying. Hence this code is not working.

This is what I have:

SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006
Options None
Options +FollowSymLinks
# Prevent Hotlink
SetEnvIfNoCase Referer "^$" local_ref=1
# Next authorized domains
SetEnvIfNoCase Referer "^http://(www\.)?gallery.speedymirror\.com" local_ref=1
SetEnvIfNoCase Referer "^http://(www\.)?gallery.goldlilys-media\.com" local_ref=1
# File extensions that you want to protect
<FilesMatch "\.(bmp|jpe?g|gif|png)">
Order Allow,Deny
Allow from env=local_ref
</FilesMatch>

Is this wrong?

BXTra

Mon, 04/11/2011 - 19:12

I'm not sure what is wrong but it's working for me. I just tested it with the link you provided. No image shows.



One thing though, My "files" directory is located at "/public_html/files" but with newer Drupal, that "files" directory location is changed to "/public_html/sites/default/files". With that path, I never tried if it work or not.

BXTra

Mon, 04/11/2011 - 19:27

Just tested with another website with the path "/public_html/sites/default/files". It is working as it should be. What I did is just copied the code I provided and paste them into .htaccess file. (Drupal 6.21)

So, my question now is if you put that .htaccess file in the correct location?

Frances

Mon, 04/11/2011 - 15:29

Because of the input format, the filematch tags are disappearing but that's part of the code, exactly same as yours

Frances

Tue, 04/12/2011 - 01:30

Tested it again. Actually if you visit that exact image from your site and it's cache on the browser then test it out, it shows up.

I cleared all my cache and when I tested again, it works. Sorry about the trouble. I was getting impatient because I looked at the other threads for preventing hotlinking on drupal and each one breaks imagecache. Yours was the only one that didn't. Thank you so much.

FYI: you should really disable the preview on comments, have to fill in captcha each time and kind of long winded.

BXTra

Tue, 04/12/2011 - 03:12

Glad it works for you :) Also, I just set Preview as an optional per your suggestion. Thanks :)

OMD

Mon, 04/18/2011 - 08:54

Hi,

I tried your code for ppt and pdf files in my files directory. It had the effect of letting anonymous users still hotlink to the file, but authenticated users could not download file attachments. This is the opposite of what I was trying to achieve. Any ideas?

Add new comment

More information about text formats

Filtered HTML

  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd> <h2> <pre> <br /> <img> <center>
  • Syntax highlight code surrounded by the {syntaxhighlighter SPEC}...{/syntaxhighlighter} tags, where SPEC is a Syntaxhighlighter options string or class="OPTIONS" [title="the title"].
  • Lines and paragraphs break automatically.
  • Web page addresses and e-mail addresses turn into links automatically.

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.