README

mod_hotlink

Protects non-text content against "hotlinking" - a method for stealing
bandwidth by linking images and content from other websites to present
them as if they were their own.

For Apache 1.3, fully tested with 1.3.26, also works with later
versions. Not tested and not expected to work with 2.x without some
effort. Finally got around to creating a project for it, so hopefully
if it is found to be of use, a group effort will make something more
of it.

Please note: The Referer header sent by browsers is completely
optional, and often untrustworthy. There is very little anyone can
do about that. So, this won't protect you from all hotlinking. In
practice, it works for most browsers.

To install it, copy mod_hotlink.c and Makefile.tmpl to a new directory,
src/modules/hotlink . Then run

./config.status --activate-module=src/modules/hotlink/mod_hotlink.c

or add the --activate-module line to your configure statement.

Enabling it is easy. Add:

HotlinkProtection on

to your .htaccess file. The defaults will protect against any referrer
that doesn't match the Host: header. Given that the Host: header will
only ever contain a valid domain for your site itself (this is how
HTTP/1.1 works), this is sufficient for almost every situation.

You can specifically allow certain referrers with HotlinkAllow:

HotlinkAllow http://www.otherdomain.com

You can also deny referrers, or requests with no referrer at all (not
recommended)

HotlinkDeny - # denies null referers
HotlinkDeny http://yourserver.com # unusual but possible

You can set the response code used for denied requests as so:

HotlinkResponse 403

By default the response is 420. You can then use ErrorDocument <rc> to
specify another image to show in its place. Note: To specify another image
on your server, you will need to place the image in a directory with
"HotlinkProtection off". For example:

websites/foobar.com:
	.htaccess:
		HotlinkProtection on
		ErrorDocument 420 http://www.foobar.com/errors/stolen.jpg

websites/foobar.com/errors:
    .htaccess:
		HotlinkProtection off

HISTORY

10/28/2004 Released to the public, meant to do this forever ago
 3/??/2002 1.0 finished

COPYRIGHT, LICENSE

 Copyright 2004 David P Kirchner
 Licensed under the Apache License Version 2.0, included by reference