How to Prevent Hotlinking Images on Nginx and Apache

How to prevent hotlinking

Hey there! Some links on this page may be affiliate links which means that, if you choose to make a purchase, I may earn a small commission at no extra cost to you. I greatly appreciate your support!

In this tutorial, you’ll learn how to prevent your images from being hotlinked. Specifically, you will learn how to stop hotlinking on Nginx and Apache web servers.

These examples will prevent hotlinking on any application that you run including WordPress.

Prevent Hotlinking on Nginx

To prevent hotlinking of images on Nginx, add the following location block to your configuration file.

location ~ .(gif|png|jpeg|jpg|svg)$ {
    valid_referers none blocked example.com *.example.com;
     if ($invalid_referer) {
        return 403;
    }
}

This code snippet will disallow images from being loaded on domain names that are not example.com or a subdomain of example.com. Of course, replace this domain name your domain name.

Restart the Nginx server to apply your configuration changes.

systemctl restart nginx

Now, rather than serving the image, Nginx will return a 403 forbidden error if another server attempts to hotlink any images from example.com.

Prevent Hotlinking on Apache

To prevent hotlinking of images on Apache, first make sure you have enabled the use of an .htaccess file by adding this snippet to your configuration file. This assumes the website root directory is /var/www/html/.

<Directory /var/www/html>
    AllowOverride All
</Directory>

Next, add the following lines to your .htaccess file in the root of your website directory. If you don’t already have an .htaccess file, please create it.

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?example.com [NC]
RewriteRule \.(gif|png|jpeg|jpg|svg)$ - [F]

This code snippet will disable images from being loaded on domain names that are not example.com or a subdomain of example.com. Of course, replace this domain name your domain name.

Finally, turn on the rewrite engine if it’s not already enabled, and restart the Apache server to apply your configuration changes.

a2enmod rewrite
systemctl restart apache2

Now, rather than serving the image, Apache will return a 403 forbidden error if another server attempts to hotlink any images from example.com.

Facebook
Twitter
Pinterest
LinkedIn
Reddit

Meet Tony

Tony from Tony Teaches Tech headshot

With a strong software engineering background, Tony is determined to demystify the web. Discover why Tony quit his job to pursue this mission. You can join the Tony Teaches Tech community here.

3 Responses

  1. Hello Tony
    Thank you for these really useful snippets.

    I have a different problem to this, although, i suspect it is probably related.

    Can you kindly advise the snippet to use to “prevent direct file access” in Nginx i.e., can I attempt to deny a visitor directly accessing a file/image (based on the file URL) and provide access only if they navigate to that file from within my website?

    Many thanks in advance.

  2. Good, but its not working with lazy loading JS on most sites. This makes site to “think”, that the user is trying to load the image with his browser and not site itself 🙁

Leave a Reply

Your email address will not be published. Required fields are marked *