Stop and Prevent Hotlink Bandwidth Theft, Hotlinking and File Leeching

Hotlink bandwidth theft, hotlinking, file leeching, bandwidth bandits, hot links, bandwidth leeching, hotlinks, external linking, remote linking, deep linking and direct linking are all words and phrases used to describe a single problem that many webmasters must stop or prevent, or are at least interested in stopping and preventing.

They describe the practice of building web pages that contain unauthorized content links, known as a hotlink, direct link, or remote link to files hosted by another site. Notice that we said content links and not navigation links that lead to another site. Content links are file references that the browser fetches to draw the page such as images, style sheets, scripts or even complete web pages that are rendered within a frame. In other words, these are embedded content or embedded objects within an html page.

The result of hotlinking is that the offending site is able to present it's pages without paying for the bandwidth needed to serve up the stolen content. The victim site ends up paying the bandwidth expense for serving up the files without gaining any page views. That is why webmasters will call someone doing this a leech or bandwidth bandit.

Many webmasters would not mind if an image were copied and hosted by another site. Especially, if permission was sought in advance. The objection in the case of hotlinking is to paying bandwidth bills to benefit a leech. Be aware though that this does not hold true in the case of adult porn sites. Whether they are free tgp sites, avs sites or paid membership subscription sites, their marketing depends on presenting their pictures(.gif,.png,.jpg,.jpeg), movie clips(.mpg,.mpeg,.mov,.wmv) and streaming video feeds in context. And then there are the music and ring tone sites that have to protect .mp3 and .wav music files. Of course there are also downloadables such as .pdf and .zip files that need to be protected.

There are two levels at which you can apply controls to prevent hotlinking and defeat a leech. One option is to control it at the web server level. In apache this is typically implemented using the mod_rewrite module, while in iis this would be implemented using an isapi filter.

The other possibility is to use a scripting facility such as apache + php or iis + asp to control access to the resources to be protected from hotlinking.

Whatever bandwidth protection tool or technique is picked to combat hotlinks, the task remains the same. First, decide if the request is a permitted legitimate link or a hotlink originating from another site and second, send the file or drop the hotlinked request. Note that a good anti-hotlinking scheme is also an effective prevention for the related problem of deep linking.

Studying the solutions will show that the mechanisms that are used are the http-referer header, browser cookies, dynamic session identifiers and dynamic link manipulation.

http-referer is a http request header sent by the browser which tells the server or script what site and page contained the current request. There are certain notable exceptions that must be accommodated. The http-referer value will be blank if the request was a url typein, if an intervening proxy server deleted it, if the request is a http:// reference originating from a https:// originator, if the request is being masked by internet privacy software, if the request is being modified by browser privacy settings. The http-referer can also be a nonsensical string if it is being masked by internet privacy software or browser privacy settings.

The biggest security hole in depending on the http-referer header is that a blank referer must almost always be permitted in the server settings. This is necessary to accomodate legitimate users who are reaching the site through normal means but presenting a blank referer string. In this scenario it is trivial to create a web page that will always present a blank referer. One method is to use javascript to write the image links at the client browser. A second method is to do a meta-refresh. Either method will cause a blank referer to be sent to the server.

A browser cookie is just another http request header that returns information which the server has previously requested the client to store and return with every http request. When client cookies are available, they can be a very reliable tracking device.

However, as concerns for privacy grow on the internet, increasing numbers of users are using inaccurate http-referer headers and turning off client browser cookies. Of course, this reduces the effectiveness of depending on these features as identifiers for bandwidth protection purposes.

Dynamic session identifiers and dynamic link manipulation refer to the technique of modifying parts of urls for each unique client. The limiting factor is the requirement that the pages containing such links cannot be static html. Each page request will need to have be uniquely created by as scripting engine such as php, asp,, coldfusion or java. The server works harder, the user cannot cache the page and search engines may have a hard time crawling these pages if query strings are involved.

Late Breaking News! There is now a product available that overcomes all of the weaknesses in the anti-hotlink and anti-leech methods described above. The company is aptly called, and they have an in depth bandwidth protection demonstration site where you can see their product prevent hotlinking on an iis server. It protects any kind of file content and works with both static and dynamic html pages without any dependence on cookies or http-referer headers. They use an isapi filter for iis, while for apache it comes in the form of a module. Their site also features an online anti-hotlinking test tool that is helpful in evaluating server hotlinking protection.

As an aside, some webmasters have been also making use of non-technical measures by relying on their legal rights. This is particularly true if the offending party is covered by the Digital Millennium Copyright Act (DMCA) and it is specifically mentioned. Success in following this avenue can be mixed, however, the first step is a strongly worded cease and desist letter. In some jurisdictions, we understand that a formal cease and desist letter is a necessary step to further prosecution. A particularly nice touch is to appoint yourself to the legal affairs department of your site before writing a formal sounding initial email. A carbon copy to their isp can also have a helpful effect.

internet searches on google, alltheweb, yahoo or msn that will yield useful updated instructions and source code for implementing bandwidth protection include:

  • hotlink .htaccess
  • hotlink mod_rewrite
  • hotlink modules
  • hotlink php symlink
  • anti-hotlink
  • anti-hotlinking
  • leechblocker
  • leech
  • anti-leech
  • anti-leeching
Since some engines do not recognise word stemming, you will need to try all the variations such as hotlinks, hotlinking, hotlinked, hotlinker and hotlinkers.

test your current anti-hotlinking setup with the hotlink testing tool here

more tips:

If you worry about your server uptime, take a look at the free server uptime monitor at

If you would like to know more about your traffic, then try the free web analytics service at

to link to this page from your pages, copy the code from the box below and add it to the your page where you want the link to appear

© 2003-2007, all rights reserved
iis hosting by
... microsoft platform specialists
... internet video and game rental software