IIS Home @ it-notebook.org

Navigation

IIS Home
IIS Articles/Information
IIS Questions & Answers
IIS Scripts/Code
IIS Software

How to prevent hotlinking using URL Rewrite

(Kristofer Gafvert, August 4, 2010)

Introduction

When a website references images that are not located on the web server where the website is hosted, but instead located on another server (other website), it is called hotlinking (other common names include inline linking, direct linking and leeching). Hotlinking may be legitimate in some situations, for example large websites hosting images on another server than the website (images.website.com, instead of www.website.com). This article will however discuss the situation where hotlinking is unwanted, and "steals" bandwidth from your server. The technique used is to look at the referrer header, to find out if the request for the image comes from your own website, or another website.

The first thing you need to do is install URL Rewrite from www.iis.net.

Using the GUI

This section will guide you thru the process of setting up URL Rewrite to prevent hot linking, using the GUI.

  • Start IIS Manager (if you had it open while installing URL Rewrite, you may need to restart it).
  • Select the website in the left pane.
  • Double click "URL Rewrite" in the middle pane.
  • Click "Add Rules(s)" in the right pane.
  • Select “Blank rule” in the section "Inbound Rules".
  • Name the rule, for example "Prevent Image Hotlinking"
  • Select "Matches the pattern"
  • Add the pattern ".*\.(gif|jpg|png)$" (without the quotes)
  • In the Conditions section, add the following condition to prevent serving images when the Referer header is missing.
    • Condition Input: {HTTP_REFERER}
    • Check if input string: Does not match the pattern
    • Pattern: ^$
  • Add a second condition to prevent serving images when the Referer header is not your own website (the pattern matches both www.it-notebook.org and it-notebook.org, since it is common that both domain names are used). Remember that you need to replace "it-notebook" with your own website, and "org" with your TLD (com/org/net).
    • Condition Inpu: {HTTP_REFERER}
    • Check if input string: Does not match the pattern
    • Pattern: ^http://(.*\.)?it-notebook\.org/.*$
  • In the Action section (remember that you need to change the path to your own):
    • Action Type: Rewrite
    • Rewrite URL: /images/no_hotlinking_allowed.jpg
  • Click Apply
URL Rewrite, Prevent Hotlinking URL Rewrite, Prevent Hotlinking

Direct editing of web.config

This section will guide you thru the process of setting up URL Rewrite to prevent hot linking, by using direct editing of web.config.

  • Open or create web.config in the root folder of the website
  • Paste the following (if you already have a web.config with configurations, you need to paste parts of this into the correct section):
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.webServer>
        <rewrite>
            <rules>
                <rule name="Prevent Image Hotlinking">
                    <match url=".*\.(gif|jpg|png)$" />
                    <conditions>
                        <add input="{HTTP_REFERER}" pattern="^$" negate="true" />
                        <add input="{HTTP_REFERER}" pattern="^http://(.*\.)?it-notebook\.org/.*$" negate="true" />
                    </conditions>
                    <action type="Rewrite" url="/images/no_hotlinking_allowed.jpg" />
                </rule>
            </rules>
        </rewrite>
    </system.webServer>
</configuration>

Applies to [?]

IIS 7.0, IIS 7.5

Resources

How to prevent hot linking (IIS 6)
URL Rewrite Module Configuration Reference
URL Rewrite Module
Regular Expression Test Page