Three Ways to Allow Hotlinking in Specific Directories

♦ Posted by Jeff Starr in .htaccess, Security

Updated March 26, 2021 • 9 comments

After implementing any of the hotlink-prevention techniques described in our previous article, you may find it necessary to disable hotlink-protection for a specific directory. By default, htaccess rules apply to the directory in which it is located, as well as all subdirectories contained therein. There are (at least) three ways to enable selective hotlinking:

Place hotlink images in an alternate directory

This method works great if your hotlink-protection rules are located in a directory other than the site root. Simply create another directory outside of the directory containing the htaccess rules and place your hotlink-allowed images into that directory.

Create a pseudo-rewrite rule for the target directory

If your images are located within the influence of your hotlink-protection rules, and you need to enable hotlinking for a specific directory, it is possible to circumvent the anti-hotlink rewriting for that directory. In the htaccess file for the target directory, add the following, pseudo-rewrite rules:

# disable hotlink protection
RewriteEngine on
RewriteRule ^.*$ -

Turn off the rewrite engine in the target directory

Ahh, the joys of simplicity. If neither of the previous methods seem appealing to you, perhaps the simple elegance of this effective method will inspire you: turn off the rewrite engine in the directory that houses your hotlink images. That’s it. Simply add the following line to your target directory’s htaccess file and enjoy immediate results:

# disable hotlink protection
RewriteEngine off

While any of the above-described methods works fine, disabling mod_rewrite in the target directory is by far the simplest, most elegant solution.

Update

An alternate way of disabling mod_rewrite is to flag the last RewriteRule with the [END] flag. For example:

RewriteRule /(some-other-rule)/ https://perishablepress.com/ [END]

What about enabling hotlink-protection in a specific directory? Read on, my friend..

Selectively protect files in a specific directory

Protecting the contents of a specific directory (as opposed to all directories) requires a simple addition to any of the anti-hotlinking measures presented in our previous article. If, say, you wanted to protect all files located in a directory called “private,” you would modify the RewriteRule as follows:

# protect all content in private directory and return a forbidden error
RewriteRule protected/(.*)$ - [F,NC,L]

..or, alternatively:

# protect all content in private directory and return a nasty image
RewriteRule protected/(.*)$ http://domain.tld/hotlink.jpg [R,NC,L]

In other words, prepend the name of the target directory to the list of protected file types, which in this example is all files, as represented by the wildcard expression ((.*)).

About the Author

Jeff Starr = Designer. Developer. Producer. Writer. Editor. Etc.

9 responses to “Three Ways to Allow Hotlinking in Specific Directories”

Proximuz 2008/01/21 5:02 am

Hi.

It’s there anyway to HotLink Protect my hole site, and just only allow one folder for hotlink. I like to use one folder that i store all my avatars and sigs to other forums.
It’s that possible?

Thanks.

Perishable 2008/01/21 8:09 am • Post Author

Proximuz,

Um, yes, allowing hotlinking in a specific directory is exactly what this article is about. After implementing hotlink-protection sitewide (see link in first paragraph), return to this post and employ any of the three methods to disable protection for the folder of your choice. (Sorry for the redundancy — I just wanted to be clear:)

Regards,
Jeff

Games 2008/12/12 9:45 pm

Great tutorial man… thanks for your help…… bookmarking this page…

Muskie 2010/11/29 3:51 pm

I just did some more testing and it isn’t stopping any hotlinks at all. I deleted her renamed the most problematic files first and that is what is giving people the 403 error. I just tried commenting the symnlinks line too.. Maybe I should have tried a simpler solution first…

###############################
# ultimate hotlink protection #
###############################

# disable directory browsing
# uncomment this option to protect access to directories
# Options -Indexes

# enable the following of symlinks
# uncomment this option if hotlink protection fails to work
Options +FollowSymLinks

# verify presence of mod rewrite

# enable the rewrite engine
RewriteEngine on

# check that file exists
RewriteCond %{REQUEST_FILENAME} -f

# check for requested file types
# include additional file types here
RewriteCond %{REQUEST_FILENAME} \.(gif|jpe?g?|png)$ [NC]

# allow blank referrer requests
RewriteCond %{HTTP_REFERER} !^$

# allow all requests from your domain
# edit the domain to match your own
RewriteCond %{HTTP_REFERER} !^https?://([^.]+\.)?muschamp\. [NC]

# additional site access
# include additional sites here replace domain names and or 
# remove unnecessary lines or add new lines for more sites
# RewriteCond %{HTTP_REFERER} !^https?://([^.]+\.)?domain_01\. [NC]
# RewriteCond %{HTTP_REFERER} !^https?://([^.]+\.)?domain_02\. [NC]
# RewriteCond %{HTTP_REFERER} !^https?://([^.]+\.)?domain_03\. [NC]

# search engine access
# include or remove search engines feed readers and other sites
RewriteCond %{HTTP_REFERER} !search\?q=cache [NC]
RewriteCond %{HTTP_REFERER} !google\. [NC]
RewriteCond %{HTTP_REFERER} !slurp\. [NC]
RewriteCond %{HTTP_REFERER} !mmcrawler\. [NC]
RewriteCond %{HTTP_REFERER} !msnbot\. [NC]
RewriteCond %{HTTP_REFERER} !sandcrawler\. [NC]
RewriteCond %{HTTP_REFERER} !msrbot\. [NC]
RewriteCond %{HTTP_REFERER} !teoma\. [NC]
RewriteCond %{HTTP_REFERER} !jeeves\. [NC]

# allow access to all requests for your anti hotlink image
# to serve an image instead of delivering a 403 error
# uncomment the next line and edit the path and file name
RewriteCond %{REQUEST_URI} http://muschamp.ca/CommonImages/doNotHotLink.jpg [NC]

# deliver the hotlink image for all requests for the listed files
# protect additional file types by editing the list below
# if you are serving a file instead of a 403 
# uncomment the next line and edit the path and file name
RewriteRule \.(gif|jpe?g?|png)$ http://muschamp.ca/CommonImages/doNotHotLink.jpg [R,NC,L]

# return a 403 error when any of the following file types is requested
# you can protect additional file types by editing the list below
# RewriteRule \.(gif|jpe?g?|png)$ - [F,NC,L]

Rocky 2011/04/10 2:53 am

hi,

Is there any way to disable hotlinking only in specific folders in lighttpd and not on whole site?
Note :-i am talking about lighttpd not apache

Jonathan 2012/04/13 6:03 pm

Thanks for this great post. Fixed my problem in minutes !

Susan 2012/12/18 12:34 am

Is this supposed to show me how to maintain just ONE .htaccess file for my entire hosted space? I don’t want multiple .htaccess files since I am constantly editing this one to block bots and crawlers. I purchased the guide but so far I have not found such a solution in it.

Jeff Starr 2012/12/18 1:49 pm • Post Author

It’s completely up to you.. some sites may use only .htaccess file, others may use multiple files.. it all depends on your goals and the structure of your site. Most cases one .htaccess in the root directory is all that’s needed.

Pali Madra 2013/03/02 10:11 am

Thanks this helped a lot was stuck with one of the site of a client which was not loading properly because hotlinking was disabled.

@jeff I wanted to know if the .htaccess file follows some inheritance rules or not?

Thanks again.

Comments are closed for this post. Something to add? Let me know.

Proximuz 2008/01/21 5:02 am

Hi.

It’s there anyway to HotLink Protect my hole site, and just only allow one folder for hotlink. I like to use one folder that i store all my avatars and sigs to other forums.
It’s that possible?

Thanks.
Perishable 2008/01/21 8:09 am • Post Author

Proximuz,

Um, yes, allowing hotlinking in a specific directory is exactly what this article is about. After implementing hotlink-protection sitewide (see link in first paragraph), return to this post and employ any of the three methods to disable protection for the folder of your choice. (Sorry for the redundancy — I just wanted to be clear:)

Regards,
Jeff
Games 2008/12/12 9:45 pm

Great tutorial man… thanks for your help…… bookmarking this page…

Rocky 2011/04/10 2:53 am

hi,

Is there any way to disable hotlinking only in specific folders in lighttpd and not on whole site?
Note :-i am talking about lighttpd not apache
Jonathan 2012/04/13 6:03 pm

Thanks for this great post. Fixed my problem in minutes !
Susan 2012/12/18 12:34 am

Is this supposed to show me how to maintain just ONE .htaccess file for my entire hosted space? I don’t want multiple .htaccess files since I am constantly editing this one to block bots and crawlers. I purchased the guide but so far I have not found such a solution in it.
- Jeff Starr 2012/12/18 1:49 pm • Post Author
  
  It’s completely up to you.. some sites may use only .htaccess file, others may use multiple files.. it all depends on your goals and the structure of your site. Most cases one .htaccess in the root directory is all that’s needed.
Pali Madra 2013/03/02 10:11 am

Thanks this helped a lot was stuck with one of the site of a client which was not loading properly because hotlinking was disabled.

@jeff I wanted to know if the .htaccess file follows some inheritance rules or not?

Thanks again.