Why you really should not hotlink · 2007-04-24 06:13 by Wladimir Palant
If you run a web site, you probably see this occasionally as well — people use your images, and instead of copying them over to their own servers they simply hotlink to your server. Now I don’t mind it when people use my images, nothing really worth protecting here. But I don’t like it when they start stealing my bandwidth and spamming my access logs.
So far it has been mostly forums. That’s annoying of course, but people posting in these forums simply don’t know better and there aren’t many hits anyway. Today however I saw that a particular Italian site published news on the Adblock Plus 0.7.5 release and simply hotlinked to the image from my first page. This created over a thousand hits in my access logs on just one day. Too bad for them because I reconfigured my web server now to redirect these requests to this little gem (courtesy of hetemeel.com). I wonder how long it will take them to notice this.
And that’s the interesting part about hotlinking — if you hotlink to images on another server there is no guarantee that these images won’t change. John McCain had to learn it the hard way by involuntary changing his opinion on gay marriage. It is defacement but in this case it isn’t even illegal since you are allowed to do with your content whatever you want.
But that isn’t all of it. As pdp notes over in his blog, you can use sites hotlinking to you for running attacks on other web servers. You can redirect your images to any address you want, and all visitors of the hotlinking site will request this address. You could run Denial-of-Service attacks or SQL injection, and the address of your web site will not even be visible in the logs of the site being attacked.
So, if you decide to use other people’s content like images, scripts or styles — upload them to your server so you are sure they won’t change. When you are hotlinking you never know what will be on the other end of the link tomorrow.
Edit (17:32): They noticed now. The image has been replaced by another screenshot that they uploaded to their own server this time.
Commenting is closed for this article.