Hello, I have a downloads directory that I would like protected from hotlinking from outside sites other then my own domain, could anyone please be kind enough to give me the code to enable this. I already know how to generate the htaccess to block image files, but what about zip files? Thanks

It should be the same. In your anti-hotlinking code that you have (which is an .htaccess file, correct?) you can add the .zip extension. Post what you have if you're unsure and we'll take a look. If you're using a script of some sort, then that's another thing.

Hey thanks a lot, yes it is htacess. Here is my code (mysite replaced with my real url)

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?mysite.com(/)?.*$ [NC]
RewriteRule .*\.(gif|jpg|jpeg|bmp)$ - [F,NC]

That's the first time I've seen the RE written like that! I would be more comfortable adding two rewritecond lines for yoursite.com and www.yoursite.com

Also I've never seen the trailing (/)? -- I doubt it's necessary.

Anyway you said it's working for you so ... it's just a case of adding "zip" to the RewriteRule line:

RewriteRule .*\.(gif|jpg|jpeg|bmp|zip)$ - [F,NC]

Note that I could still leech your stuff by accessing through https or by IP address. Or by making my leecher not send a referrer.

If you want to block blank referrers then you'll need to delete the line:

RewriteCond %{HTTP_REFERER} !^$

More often than not blank referrers are up to no good but it could indicate they're behind a proxy.

ok thanks, so by simply removing the RewriteCond %{HTTP_REFERER} !^$

line that would block ppl from accessing it via https, IP, and the normal hotlink way? Thanks :D Oh also, is it ok to just edit htaacess via cpanel file manager? Thanks

No!

To block access by https and IP address you need to add further RewriteCond %{HTTP_REFERER} !^******** lines.

Removing the "RewriteCond %{HTTP_REFERER} !^$" block ability to access with referrer set to blank. (Most people keep this line...)

Yes editing via Cpanel filemanager is fine.

Ok you have confused me :) Could you please paste the whole code for me to block all means of hotlinking please? :D

I think he meant just repeat the line:

RewriteCond %{HTTP_REFERER} !^http://(www\.)?mysite.com(/)?.*$ [NC]

-but with the IP address and with https, something like...

RewriteCond %{HTTP_REFERER} !^https://(www\.)?mysite.com(/)?.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://ip.add.ress(/)?.*$ [NC]

-but I'll let him post it just to be sure. I'm not certain on the IP address coding there.

Yes

Unless you're confident with your RegExps most people would end up with five to eight RewriteCond's in this stuation.

Rather than spoonfeed I think it'd be better to supply these resources:

http://www.scriptygoddess.com/archives/000988.php
http://httpd.apache.org/docs/mod/mod_rewrite.html

or wait a minute: there's this:
http://www.htmlbasix.com/disablehotlinking.shtml

Note that the https question is tricky. Unless you have a dedicated IP you won't be able to access by https://www.mydomain.com. But on a typical setup you'll be able to access with something like https://w.x.y.z/~username/

If you have a dedicated IP you'll probably be able to access by many different variations.

Don't forget subdomains come in to play.

If this looks tricky, that's because it is. To quote a wise man: ``The great thing about mod_rewrite is it gives you all the configurability and flexibility of Sendmail. The downside to mod_rewrite is that it gives you all the configurability and flexibility of Sendmail.''

Ok - so I'm trying to do the same thing here, only I'm going from one site to another. The first site hosts the pages via HTTPS and that is a windows box running IIS.

The second box is a Free-BSD server running Apache webserver.

I have put the following in the .htaccess file in the directory where my files are going to be located:

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^(http|https)://(www\.)?mydomain\.com.*$ [NC]
RewriteRule .* - [F]

This works fine, if I make a referral from a page under http://www.mydomain.com but not if the referral comes from https://www.mydomain.com.

Just for sanity's sake, I tried using the Javascript object document.referrer on a page in the Apache server's directory (and I deleted the .htaccess file so the request would go through) and it appears that when I go from HTTPS to HTTP the HTTP_REFERER variable is lost (i.e. blank). This is no good. While I know it isn't the best security in the world, I'm trying to prevent the casual interloper from being able to access this directory and download these files. If someone knows the location and realizes they can spoof the HTTP_REFERER it's pointless - so please don't respond about the various negatives to this type of protection.

What I really want to know is WHY the HTTP_REFERER information is not being transmitted between the two servers when the first server starts on an https:// page.

Thanks.