Putting Hotlinks on Ice

Recovered from the Wayback Machine.

Hotlinks — what a perfect word for the practice of directly linking to a photograph or other high bandwidth item on someone else’s server. Hot with its implication of hot goods and thieves passing in the cybernight. The proper term is “direct linking”, and while more technically accurate, the latter term lacks panache. Hotlinking is a particularly warm subject for me because of my extensive use of photography with my writing.

I’m not really sure what led to me start posting photographs with my essays and other writing. Probably the same impulse that leads me to mix poetry with technology, a combination leading Don Parks to write They are rather verbose and poetic… of my Permalinks for Poets essays. Well, get comfortable with your favorite drink, because we’re about to embark on another poetic, verbose, adventure into the mysteries of technology. Most fortunate for you, this one’s a murder mystery because we’re going to put hotlinks on ice.

This is a photograph of me

It was taken some time ago.
At first it seems to be
a smeared
print: blurred lines and grey flecks
blended with the paper;

then, as you scan
it, you see in the left-hand corner
a thing that is like a branch: part of a tree
(balsam or spruce) emerging
and, to the right, halfway up
what ought to be a gentle
slope, a small frame house.

In the background there is a lake,
and beyond that, some low hills.

(The photograph was taken
the day after I drowned.

I am in the lake, in the center
of the picture, just under the surface.

It is difficult to say where
precisely, or to say
how large or small I am:
the effect of water
on light is a distortion

but if you look long enough,
you will be able to see me.)

Margaret Atwood


Hotlinking is the practice of adding a photograph or other multimedia directly in a web page, but linked to the resource on someone else’s server. The bandwidth bandit gets the benefit of the photograph, but the owner of the photograph or has has to pay for the bandwidth. If enough photographs or movies or songs are hotlinked, the bandwidth use adds up.

Recently I noticed that several photographs from FOAF, Flocking, and the Semantics of Starlings were being accessed from various other weblogs, including Adam Curry’s weblog. The reason this was happening is that some folks copied part of the essay, including the links to the photographs. The photograph accesses started appearing from one weblog, then another, then another.

The problem was then compounded when each of these sites published RSS that included all their content rather than excerpts — including these same direct links to the photographs. In fact, it was through RSS that photographs appeared in Adam Curry’s online aggregator — along with several very interesting pornography photos.

I’ve had photographs hotlinked in the past and haven’t taken any steps to prevent it because the bandwidth use wasn’t excessive. In addition, some people who are weblogging within a hosted environment don’t have a physical location for photographs, and I’ve hesitated about ‘cutting them off’. Besides, I was flattered when people posted my photographs, being a pushover when it comes to my pics.

However, with this last incident, I knew that not only was my bandwidth being consumed from external links, those who share space and other resources on the weblogging co-op I’m a part of are also losing bandwidth through our shared line. Time to close the door on the links.

To restrict access to images, I’ll need to add some conditions to my existing .htaccess file. If you’ve not worked with .htaccess before, it’s a text file located in your directory that provides special instructions to the web server for files in your directories. In this particular case, the restrictions I’ll add will be dependent on a special module, mod_rewrite, being compiled into your server’s installation of Apache. You’ll need to check with your ISP to see if you have it installed.

(If you have IIS, you’ll use ISAPI filters, instead. See the IIS documentation for specifics.)

Restrictions for image access are made to the top-level .htaccess file shared by all my sites. By putting the restrictions into the top-level file, they’ll be applied to all sub-directories unless specifically overridden.

Three mod_rewrite instructions are used within the .htaccess file:

RewriteEngine On — turns on the rewrite engine
RewriteCond — specifies a condition determining if a rewrite rule is implemented
RewriteRule — the rewrite rule

When the web server accesses the .htaccess file and sees these directives, three things happen: the rewrite engine is turned on, the rewrite conditions are used against the incoming request to see if a match is found, and the rewrite rule is applied.

The rewrite conditions and rules make use of regular expressions to determine if an incoming request matches a specific pattern. I don’t want to get into regular expressions in this essay, but know that regular expressions are basically pattern matching, using special characters to form part of the pattern. The examples later make use of the following regular expression characters, each listed with its specific behavior:

! used to specify non-matching patterns
^ start of line anchor
$ end of line anchor
. match any single character
? zero or one of preceding text
* 0 or N of the proceding text, where N is greater than zero
\char Escape character — treat char as text, not special character
(chars) grouping of text

There are other characters, but these are the only ones I’m using — the mod_rewrite Apache documentation describes the entire set.

Within .htaccess I add a line to turn on the rewrite engine, and add my first condition — match a HTTP request from any domain that is not part of the domain:

RewriteEngine On
RewriteCond %{HTTP_REFERER} !^http://(.*\.)?*$ [NC]

The condition checks the HTTP referrer (HTTP_REFERER) to see if it matches the pattern, in this case anything that is not from the This includes domains other than,,, and directly. The qualifier at the end of the line, [NC], tells the rewrite engine to disregard case.

I’m looking for domains other than my own because I want to apply the rules to the external domains — let my own pass through unchecked. Since I have more than one domain, though, I need to add a line for each domain and modify the file accordingly:

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^http://(.*\.)?*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://(.*\.)?*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://(www\.)?*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://(www\.)?*$ [NC]

Once all of conditions are added to .htaccess, when the web server accesses a file within my directories, the conditions are combined, adding up to a pattern match for any domain other than a variation on,,, and

One last pattern domain needs to be allowed through, unchecked — I need to allow access to the images when the referrer has been stripped, such as local access or access through a proxy. To do this, I add a line with no domain or pattern — a blank referrer. The file then becomes:

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(.*\.)?*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://(.*\.)?*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://(www\.)?*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://(www\.)?*$ [NC]

Once I have the rewrite conditions set, time for the rule. This is where all of this can get interesting, depending on how clever you are, or how devious.

In my .htaccess file, when a referrer from a domain other than one of my own accesses one of my photos, I forbid the request. The rule I use is:

RewriteRule \.(gif|jpg|png)$ – [F]

What this rule says is that any request to a JPG, GIF, or PNG file, coming from a domain that doesn’t match the conditions set earlier, is rewritten to the ‘-‘ character. In addition, the [F] qualifier at the end of the line tells the browser that they are forbidden to fetch this particular file.

Depending on the browser accessing the web page that contains the hotlinked photo, rather than the image, the page will either show a missing image symbol, or the name of the image file will be printed out.

Now, my approach just prohibits others from hotlinking to my images. Other people will redirect the image request to another image — perhaps one saying something along the lines of “Excuse me, but you’ve borrowed my bandwidth, and I want it back.” In actuality, people can be particularly clever, and downright mean, with the image redirection.

If this is the approach you want, then you would use a line similar to:

RewriteRule \.(gif|jpg|png)$ [R,L]

In this case, the image request is redirected to another image, baddoodoo.jpg, and a redirect status is returned (the ‘R’). The ‘L’ qualifier states that this is the last rewrite rule to apply, to prevent an infinite lookup from occurring (accessing that redirected image, triggering the rule, that accesses that image, that triggers…you get the idea). Don’t forget to terminate the rule with the ‘L’ qualifier or you’ll quickly see how your web server deals with runaway processes.

(Does anyone smell smoke?)

It’s up to you if you want to forbid the image access, or redirect to another file — note, though, that you shouldn’t assume that people who are hotlinking are doing so maliciously. Most do so because they don’t know there’s any wrong with it. Including most webloggers.

My complete code is:

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(.*\.)?*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://(.*\.)?*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://(www\.)?*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://(www\.)?*$ [NC]

RewriteRule \.(gif|jpg|png)$ – [F]



Some browsers strip the trailing slash from a request, and can cause access problems, as noted in comments in Burningbird. I’ve modified the .htaccess file to the following to allow for this:

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(.*\.)?*)?$ [NC]
RewriteCond %{HTTP_REFERER} !^http://(.*\.)?*)?$ [NC]
RewriteCond %{HTTP_REFERER} !^http://(www\.)?*)?$ [NC]
RewriteCond %{HTTP_REFERER} !^http://(www\.)?*)?$ [NC]
RewriteRule \.(gif|jpg|png)$ – [F]

I tested to ensure this worked using the curl utility, which allows me to access a file and pass in a referrer:

curl -e

The .htaccess file should now work with browsers that strip the trailing slash

With the rule now in place, if someone tried to link directly to the following photograph, all they’ll get is a broken link.


You can see the effect of me putting hotlinks on ice by accessing this site with the domain This is one of my domains, but I haven’t added it to the .htaccess file — yet. If you access the main burningbird weblog page through, using, you’ll be able to see the broken link results. Look quickly, though, I’ll be adding in the next week.

When I mentioned writing this essay, Steve Himmer made a comment that the rules he added to .htaccess didn’t stop Googlebots and other bots from accessing images. To restrict access of images from webbots such as googlebot, you’ll want to use another file, robots.txt.

My photos are usually placed in a sub-directory called /photos, directly under my main site. To prevent well behaving webbots such as Google from accessing any photo, add the following to your robots.txt file, located in the top-level directory:

User-agent: *
Disallow: /photos/

This will work with Googlebot, which is a well behaved bot; it will also work with other well behaved bots. However, if you’re getting misbehaving ones, then the next step is banning access from specific IPs — but that’s an essay for another day, because it’s past my bedtime, and …to sleep, perchance to dream.


Just Shelley

Crossed Emails

Recovered from the Wayback Machine.

I’ve had three crossed email incidents in the last two days. In case you’re wondering, crossed email is when you send an email and the person you’re sending it to sends you an incoming email at the exact same time. Unless you’re in a furious exchange of emails, this is pretty rare.

You know what crossed emails mean, don’t ya? Every time you exchange simultaneous emails with another person, an evil email spammer goes to hell.

Really! I’m not making this up! I received the instructions when I answered the following email:

Moved offline because original was taking up too much room.


Comments on the Communications Decency Act

Recovered from the Wayback Machine.

My first real experience with the Internet was subscribing to a Usenet on a symbolic modeling language. I remember reading a response from a researcher in Switzerland and deciding to write my first entry into the thread. Every time someone would write from a different country I was awed. Where else and in what other circumstance could people from different countries and different cultures converse in such a way that the topic at hand becomes the focal point, not the differences of those speaking.

Where governments have trodden through the front door with fanfare and progressed with little steps, or failed, the Internet has moved quietly through the back door and succeeded. Until now.

While the Internet was nothing more than an insider’s tool, it was for the most part unconstrained and relatively open. Now that the access to the Internet is open “to the masses” we seek to impose constraints and limitations. Worse, where before each country’s boundaries were transparent, they now seek to make them not only opaque but a virtual brick wall. The main benefit of the Internet is taking down boundaries not putting them up. The Internet is owned by no Man, no Woman, and no Country.

I was following some forgotten path through the Web once when I stumbled on a letter from an Irish environmental terrorist. He wrote the letter in prison after he was captured while attempting to bomb a factory that he believed was damaging to the environment. This letter was fascinating. It was not an interview on some slick TV show, or in some slick magazine. It was an unsolicited recitation of facts and beliefs of a person that most of us would have an easy time dismissing as a nut after a two paragraph word byte in the press. Did I agree with the person? No, and I do consider myself an environmentalist. Bombs and bullets are never the way folks, nor are bricks and bats. However, the letter did give me a perspective that I would never have had if I had not read it. I cannot as easily dismiss an act of terrorism as an act of a mad person, which in a way makes the act even more frightening. Would this letter be considered “excessively violent”? Would the group that posted it be in violation of the law?

Could something like this be considered obscene? In some countries and in sometimes it could be. In certain countries, a picture of a woman bare faced and holding a career would probably be considered obscene. Full frontal nudity is considered by many in the United States as obscene but is probably considered perfectly normal in other countries. The very thing that makes the Internet great, the absence of borders, makes it virtually impossible to determine a common point of obscenity or a common point of decency.

We in the United States cannot agree within our own borders what is ‘decent’. One person believes in allowing free choice for women, and another would consider this indecent and obscene. Would information on the Internet on abortions then be considered illegal? If your child read this material, and it was presented in a scientific manner and presented only facts, would the originators of the material be in violation of the law?

If all we read in books, or all we see on TV, or all we hear on the radio, and all we can discuss on the Internet is material suitable for small children neither they nor we will ever and can ever grow, and we as a society will never mature.

Perhaps that’s what some people, including Congress, really want.

That’s it, folks.