vADC Docs

Stop hot-linking and bandwidth theft!

by on ‎03-13-2013 10:39 AM (1,054 Views)

Bandwidth can be expensive. So it can be annoying if other websites steal your bandwidth from you. A common problem is when people use 'hot-linking' or 'deep-linking' to place images from your site on to their own pages. Every time someone views their website, you will pick up the bandwidth tab, and users of your website may be impacted because of the reduced bandwidth.

So how can this be stopped?

When a web browser requests a page or an image from your site, the request includes a 'Referer' header (The misspelling is required in the specs!). This referrer gives the URL of the page that linked to the file. So, if you go to, your browser will load the HTML for the page, and then load all the images. Each time it asks the web server for an image, it will report that the referrer was

We can use this referrer header to check that the image is being loaded for your own site, and not for someone else's. If another website embedded a link to one of these images, the Referer: header would contain the URL of their site instead. This site has a more in-depth discussion of bandwidth-stealing; the Stingray approach is an alternative to the Apache solution it presents.

Solving the problem with RuleBuilder

RuleBuilder is a simple, GUI front-end to TrafficScript that lets you create straightforward 'if condition then action'-style policies.  Use the Stingray Admin Server to create a new RuleBuilder rule as follows:


You should then associate that with your virtual server, configuring it to run as a Request Rule:


All done. This rule will catch any hotlink requests for content where the URL ends with '.gif', '.jpg' or '.png', and redirect to the image:

TrafficScript improvements

We can make some simple improvements to this rule:

  • We can provide a simple list of file extensions to check against, rather than using a regular expression.  This is easier to manage, though not necessarily faster
  • We can check that the referer matches the host header for the site.  That is a simple approach that avoids embedding the domain (e.g. in the rule, thus making it less likely to surprise you when you apply the rule to a different website

First convert the rule to TrafficScript.  That will reveal the implementation of the rule, and you can edit the TrafficScript version to implement the additional features you require:

$headerReferer = http.getheader( "Referer" );

$path = http.getpath();

if( string.contains( $headerReferer, "" ) == 0

        && $headerReferer != ""

        && string.regexmatch( $path, "\\.(jpg|gif|png)$" ) ){

        http.redirect( "" );


The RuleBuilder rule, converted to TrafficScript

Edit the rule so that it resembles the following:

$extensions = [ 'jpg', 'jpeg', 'gif', 'png', 'svg' ];

$redirectto = "";


$referer = http.getheader( "Referer" );

$host    = http.getHostHeader();

$path    = http.getpath();

$ext     = "";

if( string.regexMatch( $path, '\.(.*?)$' ) ) $ext = $1;

if( array.contains( $extensions, $ext )

   && $referer != ""

   && !string.contains( $referer, $host )

   && $path != $redirectto ) {

      http.redirect( $redirectto );


Alternate rule implementation