Search code examples
iisweb-confighotlinking

Prevent Hotlinking not working IIS 10 - Windows server 2016

I don't know how to prevent hotlinking on IIS 10 - web.config. I found a solution on google, but it seems not working, this is my code:

            <rule name="Hotlinking Preventing" stopProcessing="true">
                <match url=".*\.(png|jpe?g|gif)" />
                <conditions>
                    <add input="{HTTP_REFERER}" pattern="^$" negate="true" />
                    <add input="{HTTP_REFERER}" pattern="^https?://(m\.)?domain\.com/.*$" negate="true" />
                </conditions>
                <action type="Rewrite" url="/assets/images/hotlinking.png" />
            </rule>

Any idea :( ? Thank you so much.

Solution

  • As a website developer sometimes don't want the images on our own website to be directly referenced and showed on other's website. It can cause a lot network bandwidth for our datacenters in some cases, which means costing money for us to pay for the one who uses our images.

    For example, your website is www.sample1.com, you have an image on http://www.sample1.com/test.jpg and www.sample2.com used your image on www.sample2.com by putting a tag in their HTML, it can cause network request going into your server consuming your resources.

    enter image description here

    if the user lands on www.sample2.com visiting http://www.sample1.com/test.jpg, for www.sample1.com's web server, the HTTP request for this particular image will have an HTTP header named "referer" with a value of "http://www.sample1.com....". This is where we will check and block the request.

    url rewrite rule:

     <rule name="Prevent Image Hotlinking">
<match url=".*\.(jpg|jpeg|png|gif|bmp)$" />
<conditions>
                    <add input="{HTTP_REFERER}" pattern="^$" negate="true" />
                    <add input="{HTTP_REFERER}" pattern="^http://www.sample1.com/.*$" negate="true" />
</conditions>
<action type="Rewrite" url="/img/no_hotlinking.png" />

    enter image description here

    enter image description here

    If it still not work try to disable the cache and try again.

    if you want to block multiple sites then you could also use the rewrite map and set the list of the site.

    <system.webServer>
  <rewrite>
    <rules>
      <rule name="Blacklist block" stopProcessing="true">
          <match url="(?:jpg|jpeg|png|gif|bmp)$" />
          <conditions>
              <add input="{HTTP_REFERER}" pattern="^https?://(.+?)/.*$" />
              <add input="{DomainsBlackList:{C:1}}" pattern="^block$" />
              <add input="{REQUEST_FILENAME}" pattern="splog.png" negate="true" />
          </conditions>
          <action type="Redirect" url="http://www.hanselman.com/images/splog.png" appendQueryString="false" redirectType="Temporary"/>
      </rule>
    </rules>
    <rewriteMaps>
              <rewriteMap name="DomainsBlackList" defaultValue="allow">
                  <add key="google-chrome-browser.com" value="block" />
                  <add key="www.verybadguy.com" value="block" />
                  <add key="www.superbadguy.com" value="block" />
              </rewriteMap>
    </rewriteMaps>
  </rewrite>
</system.webServer>