How to prevent hot linking
(Kristofer Gafvert, April 14, 2005)Definition of hotlinking
Hot linking (also called "bandwidth theft", "leeching" and "hotlinking") is when another website links directly to images, zip-files, and other files hosted by you on your webserver (I will use image in my examples in this text). Often, no matter if you host your own website, or have it hosted by someone else, you pay for the data transfered. So when someone hotlinks files on your website, you will be sending out more data than necessary, thus you are paying more than you need/should have to do. And since your server will have more things to do (serving images to visitors of other websites), your own website will slow down.
Who hotlinks?
So, who is doing this "evil" thing? The most common occurences of hotlinking is when people posts to forums. Often, the forum has no ability for its users to upload images, so the users select to hotlink to images hosted elsewhere. The purpose is not to drive traffic to their website or claim that they own the images, so the only loss will be bandwidth and CPU usage. Another, not so common, occurence is when other website administrators steal not only the images, but also the articles for which the images belongs to. The purpose of this is to drive traffic to their own website, and make their own website more attractive. So they are not only stealing your bandwith, they are also stealing your visitors (and money from advertisements (if any) ).
Prevent hotlinking
Preventing hotlinking is a bit tricky. When a client browses a webpage with an image, it sends a separate request for the image. So if you host a webpage (an html-file) with one (1) image, the client will send two requests to the webserver. HTTP[5] is a stateless protocol, meaning that your webserver has no knowledge of what happened in previous requests. That is, the webserver cannot know if the request for the image was done because you linked to the image on your own webpage, or if it was done because someone else linked to the image from another website.
There is however a referrer[1] (misspelled in the HTTP specification as Referer) header field sent with each HTTP request. Or, the referrer header field is not required in a HTTP request, but most clients will send it. This header field contains information about what URL caused the request, and can be used to block hotlinking.
IIS does not have any in-built functionality to block hotlinking (like .htaccess for Apache[4]). But an ISAPI filter is a perfect solution to block these unwanted requests. There are free ones, such as LeechBlocker by Michael Brumm[2], and there are commercial filters like ISAPI_Rewrite[3].
Problems with blocking hotlinking
Since blocking of hotlinking relies on something that not all clients send, or that the client may modify (some browsers do this to protect the privacy of the user), it cannot be done failsafe. So, if you block hotlinking, and want to make sure that your own website always work, make sure that people not sending a referrer can download the image properly. Some referrers may be false/modified, so you may want to make sure that these people as well can see the images (analyze your log files to find strings you want to allow). And remember, do not block referrers to htm/html or other "page files". You don't want to block people from visiting your website, do you? :-)
Applies to [?]
IIS 6.0
Resources
[1] HTTP Header Field Definitions[2] LeechBlocker by Michael Brumm
[3] ISAPI_Rewrite
[4] Stop hotlinking and bandwidth theft with htaccess
[5] HTTP at wikipedia