Knowledge Base

Using URL Rewrite to Prevent Image Hotlinking

The Microsoft URL Rewrite Module for IIS 7.0 provides a flexible rules-based rewrite engine that can be used to perform broad spectrum of URL manipulation tasks, including, but not limited to:

Enabling user friendly and search engine friendly URL with dynamic web applications;
Rewriting URL's based on HTTP headers and server variables;
Web site content handling;
Controlling access to web site content based on URL segments or request metadata;

In this KB I will walk you through the process of creating a URL rewrite rule to Prevent Image Hotlinking. Image Hotlinking, also known as leeching, is the use of an image from one site into a web page belonging to a second site. Unauthorized image hotlinking from your site increases bandwidth use, even though the site is not being viewed as intended. There are other concerns with image hotlinking, for example copyrights or usage of images in an inappropriate context.

An example of this would be if I was hosting an image on my site www.Jelly.com , and someone outside my network tried to display it in their site.

Rather than eating all my bandwidth up, with URL Rewrite I can replace any requested images with a place holder like the one below.





First you will need to connect to your site with the Remote IIS Management tool. If you have not installed this tool yet, download the IIS Remote Administration Tool for IIS 7.0 from IIS.net and install it.

Once installed, connect to your site using your site by specifying your fully-qualified domain name (MyAccount-SITE#.MaxEsp.net) as the server name, and your site id (MyAccount-SITE#) as the site name. Then use your control panel username and password to connect. 

Create URL Rewrite Rule
1. Click the URL Rewrite module.
2. Add Rules
3. Blank Rule
4. Name = Prevent image Hotlinking (Or whatever friendly name you would like)
5. Pattern = .*\.(gif|jpg|png)$
6. Add Condition
a. Condition Input = {HTTP_REFERER}
b. Input String = Does not Match the Pattern
c. Pattern = ^$
7. Add a second Condition
a. Condition Input = {HTTP_REFERER}
b. Input String = Does not Match the Pattern
c. Pattern = http://www.jelly.com/ .*   (Replace www.jelly.com with your domain)
8. Action Type = Rewrite
9. Rewrite URL = /images/hotlinking.jpg    (Replace hotlinking.jpg with whatever image you would like to show)
10. Click Apply
10. Click Back to Rules





This rule will rewrite a request for any image file to /images/hotlinking.jpg only if the HTTP Referer header on the request is not empty and is not equal to the site's domain. 

If you don't want to go through all those steps above through the GUI, you can include the following code in your web.config

<configuration>
    <system.webServer>
        <rewrite>
            <rules>
                <rule name="Prevent image hotlinking" enabled="true" stopProcessing="true">
  <match url=".*\.(gif|jpg|png)$" />
  <conditions>
                        <add input="{HTTP_REFERER}" negate="true" pattern="^$" />
                        <add input="{HTTP_REFERER}" negate="true" pattern=" http://www.YourDomain.com/ .*" />
  </conditions>
  <action type="Rewrite" url="/images/hotlinking.jpg" />
</rule>
            </rules>
        </rewrite>
    </system.webServer>