Holy server resources and bandwidth suckage Batman! Seriously- hot-linking to your images and media files from search engines and other sites can be a good thing- but also a very bad thing, depending on what it is that being hot-linked and whether or not you want there to be external linking to your file(s).

In the best case scenario, it drives traffic to your site and helps advertise for you, freely. In the worst case scenario you piss off your webhost and in turn have outages.

NOT AN ISSUE

Case in point: BraveNewCode. We want people to link to our downloads, our images, and so on. It’s good advertising for us, and our web setup is such that it won’t really become a problem for us, for now anyways.

TOTALLY AN ISSUE

Case in point: matthewgood.org. For Matt’s site, this is a big problem, especially when you consider 404 errors pointed at non-existent files sucking up bandwidth.

Matt gets a lot of traffic- he’s been a top blog in Canada for years and years- and as such there are links to his site and content that stretch way back. He’s also well indexed by all search engines, and that means that every image & video sitting in a directory on the server needs to be controlled in terms of external access- otherwise he’d be well over the monthly server resource limits allocated to him by Media Temple and his modest shared-server grid plan.

In order to control just who has access to what files, we’ve implemented an .htaccess rule for certain folders which restricts the ability for external sites to index, view, and link to them successfully.

The rule looks like this, inside each .htaccess file in each folder you want to restrict access to:


RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?bravenewcode.com [NC]
RewriteRule \.(png|gif|jpeg|jpg|tiff|psd|flv|mpg|mpeg|mp3)$ - [NC,F]


The first line here turns on mod_rewrite on your server once per .htaccess file.

The next line is needed to allow proxy caches. If you take it out, then anyone without a referer won?t be able to view your site. Many proxy caches, for instance, block referers? and that looks the same as a directly-entered URL.

The third tells the .htaccess file where to allow image files to be served from – in this case it will allow images be served from http://bravenewcode.com and http://www.bravenewcode.com (remember to update this for your own domain!).

The final line is case insensitive (the NC) and instructs the .htaccess file what file types to restrict the serving of. The F in the square brackets forces the current URL to be forbidden.

PEEPING BROWSERS

Lastly, if you want to ensure that someone can’t browse a directory just by entering it as a URL in a browser (visit http://www.bravenewcode.com/example/ to see what we mean), you can add this bit of code to the bottom of your .htaccess files to ensure folks can’t peep your naked goods:


<Files .htaccess>
order allow,deny
deny from all
</Files>


Another option if your server is set up so that it allows overrides is to add this line to your .htaccess file:


Options -Indexes


That instructs your webserver not to allow directory-style listings in that directory.