Tip #34: Did you know... How to stop hot-linking from your site using URL Rewrite in IIS 7.0?
Hot-linking is a direct linking to a web-site's file (images, videos etc). An example can be using an <img> tag to display a JPEG image someone finds at your web site. This is also referred to as bandwidth theft as when someone is viewing this site, they will be using the bandwidth of your site to display the JPEG image. The other words used to describe this are leeching, piggybacking, direct linking or offsite image grabs to name a few.
Let's say you have the below copyright image at your web site https://www.contoso.com/img1.jpg which you would like to prevent from hot linking.
URL Rewrite module in IIS 7.0 can be used to achieve this in a very simple way. I will tell you how to do this from IIS Manager. Open IIS Manager and select "Your Web Site (Contoso.com in this case)". In the feature view click "URL Rewrite and click "Add Rules..." in the "Actions" pane. Select "Blank Rule" to start with. This will open up the "Edit Rule" property page. Fill the property page as shown below:
Let me now explain what we have done on this property page:
- Specified name of the rule as "Prevent Leeching". This must be a unique rule.
- Every requested URL will be matched as the pattern is ".*" and is a regular expression.
- Added two condition and specified both the condition to be satisfied (see "Logical Grouping" is "Match All")
- HTTP_REFERRER does not match empty as it can be a direct reference to the image
- HTTP_REFERRER does not match my own site https://www.contoso.com
- If the above two conditions are satisfied (apparently meaning the request is coming from any other site), we are just redirecting it to pick up some other image which can be anything
And that's it. So without writing even a single line of code we are able to prevent hot-linking.
One important thing to remember is that URL Rewrite should be installed for this to work. You can install X86 version here and X64 here. This module is supported for IIS 7.0 and you should be running IIS 7.0 to take advantage of it. Also if you are working with VWD (Visual Studio for Web Developers) your project should be configured to work with IIS 7.0 and not any other web server.
This was one of the cool features showcased in PDC 2008 for IIS 7.0. For other cool features including this please see this complete video at channel9.
Don Raman
SDET, IIS Team
Comments
Anonymous
December 15, 2008
PingBack from http://www.alvinashcraft.com/2008/12/15/dew-drop-december-15-2008/Anonymous
December 15, 2008
PingBack from http://www.alvinashcraft.com/2008/12/15/dew-drop-december-15-2008/Anonymous
December 15, 2008
Should be quick to test on my end, but curious if users subscribed to RSS feed be able to read the images!Anonymous
December 15, 2008
The comment has been removedAnonymous
December 15, 2008
How to break IE7's RSS reader in 1 lesson?Anonymous
December 15, 2008
This is a real cool option! However for those, whose hosting companies(like mine) disallow editing rules in IIS, i have written both a desktop as well as a web solution to watermark images with a logo or site name. Here's the link to the desktop solution: <a href="http://www.dotnetcurry.com/ShowArticle.aspx?ID=243">Watermark and Add Copyright Info to your Images on your Local drive using C# and VB.NET </a> HTH.Anonymous
December 16, 2008
The comment has been removedAnonymous
December 17, 2008
@Aaron: HTTP_REFERRER is something that your browser sends. Yes you are correct this can be spoofed and there are tons of ways available to do it. But the number of people taking this pain will be less as you also mentioned. Also most of the solution I have heard of involves client (browser). This means faking HTTP_REFERRER from the browser and not the site itself. But again I may be wrong. Thanks, Don.Anonymous
December 19, 2008
The comment has been removedAnonymous
March 06, 2009
The comment has been removed