How to Prevent Hotlinking Images on Nginx and Apache

by

How to prevent hotlinking
Hey there! Some links on this page may be affiliate links which means that, if you choose to make a purchase, I may earn a small commission at no extra cost to you. I greatly appreciate your support!

In this tutorial, you’ll learn how to prevent your images from being hotlinked. Specifically, you will learn how to stop hotlinking on Nginx and Apache web servers.

These examples will prevent hotlinking on any application that you run including WordPress.

Prevent Hotlinking on Nginx

To prevent hotlinking of images on Nginx, add the following location block to your configuration file.

location ~ .(gif|png|jpeg|jpg|svg)$ {
    valid_referers none blocked example.com *.example.com;
     if ($invalid_referer) {
        return 403;
    }
}

This code snippet will disallow images from being loaded on domain names that are not example.com or a subdomain of example.com. Of course, replace this domain name your domain name.

Restart the Nginx server to apply your configuration changes.

systemctl restart nginx

Now, rather than serving the image, Nginx will return a 403 forbidden error if another server attempts to hotlink any images from example.com.

Prevent Hotlinking on Apache

To prevent hotlinking of images on Apache, first make sure you have enabled the use of an .htaccess file by adding this snippet to your configuration file. This assumes the website root directory is /var/www/html/.

<Directory /var/www/html>
    AllowOverride All
</Directory>

Next, add the following lines to your .htaccess file in the root of your website directory. If you don’t already have an .htaccess file, please create it.

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?example.com [NC]
RewriteRule \.(gif|png|jpeg|jpg|svg)$ - [F]

This code snippet will disable images from being loaded on domain names that are not example.com or a subdomain of example.com. Of course, replace this domain name your domain name.

Finally, turn on the rewrite engine if it’s not already enabled, and restart the Apache server to apply your configuration changes.

a2enmod rewrite
systemctl restart apache2

Now, rather than serving the image, Apache will return a 403 forbidden error if another server attempts to hotlink any images from example.com.


Meet Tony

With a background in computer science and engineering, Tony is determined to demystify the web. Discover why Tony is pursuing this mission. You can also connect with Tony here.

4 thoughts on “How to Prevent Hotlinking Images on Nginx and Apache”

  1. Hello Tony
    Thank you for these really useful snippets.

    I have a different problem to this, although, i suspect it is probably related.

    Can you kindly advise the snippet to use to “prevent direct file access” in Nginx i.e., can I attempt to deny a visitor directly accessing a file/image (based on the file URL) and provide access only if they navigate to that file from within my website?

    Many thanks in advance.

    Reply

  2. Good, but its not working with lazy loading JS on most sites. This makes site to “think”, that the user is trying to load the image with his browser and not site itself 🙁

    Reply

  3. This piece has the kind of depth that makes it impossible to rush through. I found myself lingering over each sentence, appreciating not just the content but the care with which it was crafted. It’s the kind of writing that stays with you, makes you think, and makes you feel all at once.

    Reply

Leave a Comment