(This text was written for the drupal handbook but didnt quite fit in, so I am reposting it here)

In case you have images in your image gallery drupal site, people might link or deeplink to these images. Deeplinking an image from one site to another might is okay for some people who want to share information (pictures) and make them available on an other place. Other people might think of it as bandwidth theft, you are providing resources to be shown out of context on another site.

Deeplinking images is complex from a legal point, in some countries it is explicit allowed, others forbidden. However, preventing deeplinking images is a very simple thing if you are using Apache.

On this page you can find some information on how you can prevent “image theft” from within Apache. Note that this feature has nothing to do with Drupal, please search the web for answers, look for newsgroups regarding Apache or post in usenet, but don’t use the Drupal forums of IRC channels for support.

Prevention of bandwidth theft is based on something that is called “referrer” string, a text string your browser sends to the website when asking for an object telling the website from what URL the object was asked from. If this URL is a URL for your site (or a trusted site) the image will be served, in case the URL differs, the image will not show in the browser. There are some powerful things you can do with this method, like sending an image with text mentioning the URL of your website. However, please note that sending a fake referrer sting is trivial, users and robots can spoof the referrer rather easy. Some browser are configured not to send referrers are have bugs in sending referrers and some proxy servers don’t send referrers to protect the privacy for the users, changes are you will be blocking legitimate users as well.

If you still want to prevent the image deeplinking, there are two ways of doing this. You can make an accesslist on your image directory with a necessary referrer string to access it. Or you can use a method called rewring URLS’s (which is used for drupals clean URL option as well).

Both options rely on editing the .htaccess file of Apache. In the examples used for both ways we want to prevent deeplink images of the type GIF, PNG and JPEG. Other types or media can be added easy. The site they are hosting on –and should be in the referrer string- is www.example.com and is also known as example.com. Please change this domainname to you fully qualified domain name(s)

Now for the first method, go to your drupal install directory (usually the document root of your webserver) and look for a file called .htaccess. Make a backup copy of this file and edit it. At the end of the file add the following lines:

SetEnvIfNoCase Referer "^http://www.example.com/" locally_linked=1
SetEnvIfNoCase Referer "^http://www.example.com$" locally_linked=1
SetEnvIfNoCase Referer "^http://example.com/" locally_linked=1
SetEnvIfNoCase Referer "^http://example.com$" locally_linked=1
SetEnvIfNoCase Referer "^$" locally_linked=1
<FilesMatch "\.(gif|png|jpe?g)$">
Order Allow,Deny
Allow from env=locally_linked
</FilesMatch>

You don’t have to restart your webserver process and please don’t change the “referer” typo in the configuration, it is there as a geeky tribute to a dyslectic Apache coder.

Save the file and try to see if you can still access images by (shift) reloading your website in a browser. If this still works, try to hot link a image from another site, you shouldn’t be able to see the picture. If something went wrong, restore the backup file and search for help outside the drupal.org community.

The second way of preventing deeplinking is more powerful but based on the same principles. In case the refferer string is not our site, we will serve another image called “please_do_not_hotlink_our_images.png” from the document root. Note that you will have to make this image yourself. Now make sure that you are using Apache as a webserver and that mod_rewrite is enabled. Once again, go to your drupal install directory and look for a file called .htaccess. Make a backup copy of this file and edit it. Search for a line called “RewriteEngine” and make sure that the next word is “on”, “RewriteEngine On”. In case you haven’t got this line and are sure you are using mod_rewrite, add the line yourself.

Now add the following lines after the “RewriteEngine On”

RewriteCond %{HTTP_REFERER} !^http://(www\.)?example\.com [NC]
RewriteCond %{HTTP_REFERER} !^$
RewriteRule \.( gif|png|jpe?g)$ / please_do_not_hotlink_our_images.png [L]
SetEnvIfNoCase Referer "^http://www.example.com /" locally_linked=1
SetEnvIfNoCase Referer "^http://www.example.com$" locally_linked=1
SetEnvIfNoCase Referer "^http://example.com/" locally_linked=1
SetEnvIfNoCase Referer "^http://example.com$" locally_linked=1
SetEnvIfNoCase Referer "^$" locally_linked=1
<FilesMatch "\.(gif|png|jpe?g)$">
Order Allow,Deny
Allow from env=locally_linked
</FilesMatch>

Once again test it from your own site and another site and in case your site breaks or isn’t preventing image deeplinking, rollback your configuration file.