using .htaccess to stop image leeching, Mike Perry, Tech tips and programming tricks

Looking at some system logs, I came across the typical situation of people linking images on my site without permission. That's fine and typically unavoidable but when the leeching becomes excessive, it's important to control it. Also, you can use this to your advantage by advertising your site, and compensating for the fact that people are taking images outside the context of your web pages.

First you need to make sure you have Apache and mod_rewrite installed and enabled. I'm not going to go into that. Second, create an .htaccess file in the directory you want to protect:

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^.*mikeperry.org/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^.*reddit.com/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^.*google.com/.*$ [NC]
RewriteCond %{REQUEST_URI} !/images/stop.jpg
RewriteRule .*.(mpg|png|mp3|gif|GIF|jpg|JPG)$ http://mikeperry.org/images/stop.jpg [R]

What the above commands do is create a series of conditions, which if met, will trigger the rewrite rule which redirects to an alternate image that you create that says something like, "Hey stop stealing images" or "please visit this site: xxxxx" The rules above not only allow for referers from my own site (and blank referers) but give permission to sites like reddit.com and google.com -- you can modify that or add more. Now, that stuff is common knowledge but I noticed something else going on:

x.x.x.x - - [01/Jan/2008:22:39:09 -0600] "GET /images/bladh.jpg HTTP/1.1" 200 100212 "-" "facebookexternalhit/1.0 (+http://www.facebook.com/externalhit_uatext.php)"

What we have here is Facebook image leeching as well. But Facebook is sneaky. They do not reveal the URL from which the image leeching is occuring. It's bad enough to leech, but it's even worse to do so and mask the source of the leeching, so what we want to do here is stop this from happening, but since Facebook doesn't pass the HTTP_REFERER, we cannot tell who's stealing the image. So we need to match the user agent and redirect them. Normally, I'd consider adding facebook to the list of exceptions but this sneaky move on their part makes it worthwhile to ban them. You do this by adding this command:

RewriteCond %{HTTP_USER_AGENT} ^facebookexternalhit.*$ [OR]

To the beginning of the file right after the RewriteEngine on command:

RewriteEngine on
RewriteCond %{HTTP_USER_AGENT} ^facebookexternalhit.*$ [OR]
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^.*mikeperry.org/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^.*reddit.com/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^.*google.com/.*$ [NC]
RewriteCond %{REQUEST_URI} !/images/stop.jpg
RewriteRule .*.(mpg|png|mp3|gif|GIF|jpg|JPG)$ http://mikeperry.org/images/stop.jpg [R]

And there we go. Facebook gets face-planted.. you can tell from the logs by the 302 error:

x.x.x.x - - [01/Jan/2008:22:39:09 -0600] "GET /images/bladh.jpg HTTP/1.1" 302 226 "-" "facebookexternalhit/1.0 (+http://www.facebook.com/externalhit_uatext.php)"