Tip #34: Did you know… How to stop hot-linking from your site using URL Rewrite in IIS 7.0?


Hot-linking is a direct linking to a web-site’s file (images, videos etc). An example can be using an <img> tag to display a JPEG image someone finds at your web site. This is also referred to as bandwidth theft as when someone is viewing this site, they will be using the bandwidth of your site to display the JPEG image. The other words used to describe this are leeching, piggybacking, direct linking or offsite image grabs to name a few.

Let’s say you have the below copyright image at your web site http://www.contoso.com/img1.jpg which you would like to prevent from hot linking.

welcome

URL Rewrite module in IIS 7.0 can be used to achieve this in a very simple way. I will tell you how to do this from IIS Manager. Open IIS Manager and select "Your Web Site (Contoso.com in this case)". In the feature view click "URL Rewrite and click "Add Rules…" in the "Actions" pane. Select "Blank Rule" to start with. This will open up the "Edit Rule" property page. Fill the property page as shown below:

Url_Rewrite

Let me now explain what we have done on this property page:

  • Specified name of the rule as "Prevent Leeching". This must be a unique rule.
  • Every requested URL will be matched as the pattern is ".*" and is a regular expression.
  • Added two condition and specified both the condition to be satisfied (see "Logical Grouping" is "Match All")
    • HTTP_REFERRER does not match empty as it can be a direct reference to the image
    • HTTP_REFERRER does not match my own site http://www.contoso.com
  • If the above two conditions are satisfied (apparently meaning the request is coming from any other site), we are just redirecting it to pick up some other image which can be anything

And that’s it. So without writing even a single line of code we are able to prevent hot-linking.

One important thing to remember is that URL Rewrite should be installed for this to work. You can install X86 version here and X64 here. This module is supported for IIS 7.0 and you should be running IIS 7.0 to take advantage of it. Also if you are working with VWD (Visual Studio for Web Developers) your project should be configured to work with IIS 7.0 and not any other web server.

This was one of the cool features showcased in PDC 2008 for IIS 7.0. For other cool features including this please see this complete video at channel9.

Don Raman 
SDET, IIS Team

Comments (10)

  1. budigelli says:

    Should be quick to test on my end, but curious if users subscribed to RSS feed be able to read the images!

  2. It depends on what HTTP_REFERRER one is getting from a RSS feed and the kind of condition one writes. Couple of options independently I can think of:

    1. If you know from which domain RSS feed comes, you can as well whitelist it.

    2. Analyze HTTP_REFERRER and see if there is anything unique in there (like empty REFERRER etc.). You can write a custom rule for that.

    3. See if other condition in the "Input" list while adding the rule helps.

    Thanks,

    Don.

  3. axelriet says:

    How to break IE7’s RSS reader in 1 lesson?

  4. This is a real cool option! However for those, whose hosting companies(like mine) disallow editing rules in IIS, i have written both a desktop as well as a web solution to watermark images with a logo or site name.

    Here’s the link to the desktop solution:

    <a href="http://www.dotnetcurry.com/ShowArticle.aspx?ID=243">Watermark and Add Copyright Info to your Images on your Local drive using C# and VB.NET </a>

    HTH.

  5. Aaron says:

    Not that there is a high probability, or serious risk if it occurs, but…  Isn’t this easily "spoofable"?  Can’t I provide the referrer in my request?

  6. @Aaron: HTTP_REFERRER is something that your browser sends. Yes you are correct this can be spoofed and there are tons of ways available to do it. But the number of people taking this pain will be less as you also mentioned. Also most of the solution I have heard of involves client (browser). This means faking HTTP_REFERRER from the browser and not the site itself. But again I may be wrong.

    Thanks,

    Don.

  7. My latest in a series of the weekly, or more often, summary of interesting links I come across related to Visual Studio. The Web Developer Tools Team has posted a few new tips: Tip #34: Did you know… How to stop hot-linking from your site using URL

  8. Referrer checking is an important first step and is probably enough to stop most casual hot linking.  But determined content or bandwidth thieves can get around this by spoofing the HTTP Referrer header — a fairly trivial task.  

    There are countermeasures but they are usually more difficult to implement because they require more than URL rewriting.  For instance, the URLs that point to dependent objects like images can be "sessionized" so that they only work for users who have (recently) requested a page where those objects are legitimately needed.  

    This is one of the advanced features in our hotlink blocker, LinkDeny.  We have a 30-day free trial if you want to check it out.

    Jenny Lemmons

    Director of Marketing

    Port80 Software

    http://www.port80software.com/linkdeny

Skip to main content