MainDoctor WhoMusicSoftware
Main Page

Alden Bates' Weblog

Feigning normality since 1973

More on "Even better hotlink protection"

Filed in: Website Management.

I was asked to share the .htaccess and Perl code I used to achieve my new hotlink protection method, so, first of all, from my .htaccess file for

ErrorDocument 403 /cgi-bin/err403.cgi

RewriteEngine on
RewriteCond %{REQUEST_FILENAME} .*jpg$|.*gif$|.*png$ [NC]
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !tetrap\.com [NC]
RewriteRule (.*) - [F,L]

The first line sets the Perl script I'm using as my error 403 document, so whenever anyone gets an error 403, that script is executed and the output sent to their browser. The next line starts processing with mod_rewrite. Line 3 matches if the request is for a filename corresponding to an image file - if your images are named differently, yuo should change this line to suit. The next line will halt if there is no referrer present in their request, because many people have referrer reporting turned off. Line 5 halts if the referrer contains the text Should all the tests succeed (The user is requesting an image, and the referrer is set to another site) they will get a 403 error and the script will execute.)

And now the perl script:

# Error 403 script by Alden Bates (

if($theurl eq "/cgi-bin/err403.cgi") {

if($theurl =~ /jpg$|gif$|png$/) {
  print "Content-type: image/gif\n\n";
  $amount=read GFX,$data,$size;
  print "$data";
} else {
  print "Content-type: text/html\n\n";
  while(<HTML>) {
    print "$_";

Here, the first clump of code fetches the path to the file that the user was trying to load. The rest of the code looks at the path to see if it is an image. If so, the script opens error403.gif and sends it to the user. If not, it opens error403.html (which is an error page) and sends that to the user. Note that, because the script is sending the file directly, any server-side includes or code will not be executed, so this would not be suitable for, say, a php script.

So that's basically it!

Posted July 1, 2006 10:26 AM


I'm getting my feeble brain around the .htacess code and the perl code and will incorporate it into my pathetic attemts to foil spammers who are filling out my suhscribe form (!) even tho th results do not appear on the web anywhere and I'm the only one who see the spam and since it's a wlot work to fill out the form and submit for only one hit I've NO IDEA what the heck they are trying to accomplish????

Posted by: Mike | July 1, 2006 12:13 PM

Post a comment Site Map