Hotlinking Prevention... Even without a referer!

View the code for this demo.

Hotlinking [1] [2] [3] images is a common problem for many websites. In the website world, it means to use one site's image on another site--often times without permission--by simply pointing the image tag at the other server. Hotlinking is essentially stealing bandwidth from the server that is hosting the image.

For example, the following image is hotlinked in from Google. If you look at it's properties, you'll see that the image actually lives on Google.com.

Link #3 above presents an approach to protect against hotlinking. It compares the referer against the domain for each request. If they do not match for images, then the request is rejected. This works very well for browsers that actually do send referers. But, not all browsers do. For users of browsers that don't send referers (or perhaps have them purposefully disabled), all images will be broken.

This document presents a technique to being able to publish images without allowing someone else to hotlink your images that DOES NOT rely on the referer. Instead, this techinque relies on changing the name of the images folder every once in a while. Any attempts to hotlink to an image will break within a few minutes.

In this implementation, the all access to the images is through a virtual directory in IIS. At any given time, the virtual directory is named something completely random. If you view the properties of the above image you'll clearly see the random folder name in the path. Every minute, this virtual folder is deleted and recreated with a new name.

In order to protect against the possibility of a page being loaded before a rename and images being loaded after the rename (and thus showing up as broken images to the visitor) we actually maintain two virtual folders at all times... the current one and the last one. That way there's no chance of any broken images for legitimate viewers.

On this page, the renaming process occurs every minute. This means that any hotlinked image will break in less than 2 minutes.

On this server, the code is scheduled to execute every 60 seconds. It is currently scheduled to execute via the Cold Fusion scheduler, but you could schedule the asp file to execute using whatever mechanism is at your disposal. When the code is executed, it stores the current filename in the file hotlink_config.asp. Files that need to display images that will be protected only need to include this file to learn the current folder name.

Checklist for setup:

• Ensure that you've correctly updated the website_id in hotlink_update.asp to reflect the id of the website as defined in IIS. You can determine this by looking at the logging folder or inspecting the Metabase directly.
• Ensure that the root folder has an application. This will ensure that virtual directories can be created programatically.
• Ensure that the user the processing script is running as has rights to update the metabase (administrator rights are required, typically).