Detailed photo of web man shown in smaller and much lower quality

Image quality degradation as a hotlink prevention measure and deterrent

Hotlink protection is the practice of serving different images based on the HTTP Referer (sic) header. In other words, serving one image when the image is requested from a page on your own website and then serve a different image when it’s served from a page on another website. When websites include images from other websites without permissions, this is known as “hotlinking”.

Early-web hotlink protection measures were crude and not very sexy when seen with a modern eye. Yet its deployed by many websites because bandwidth still isn’t free and people who don’t know any better or just doesn’t care about free-loading the bandwidth of other websites continue to hotlink images.

Embedding/inline-loading is much more common now and it’s considered legitimate in many more contexts because of popular web reading list services, feed readers, social news sites, web mail, aggregates, etc. Maintaining a whitelist of the services you approve of individually is impractical and would have to be constantly fine-tuned.

You definitively don’t want to shout at potential visitors who’re coming to your website from their webmail or social network sites about them stealing bandwidth. Yet this is exactly what many websites do.

As hotlinking can’t really be prevented in any meaningful way, I like to focus on reducing it’s impact on my server and bandwidth instead. A hotlinked image will be siphoning server resources no matter what you do, so let us rather make the best of the situation.

Feature image based on a photo by © 2015 Christopher J. Campbell. The article author waives all copyrights and related or neighboring rights to the code and configuration examples provided in this article. They’re provided as-is without any guarantee of functionality nor anything else.


  1. Your articles on here are generally pretty good already Daniel, but this one is really outstanding (though your content scraping one is still my favourite).

    I’m sure you’re already familiar with CloudFlare, so I can only assume that you’ve implemented this bandwidth-saving alternative because you have privacy or transparency concerns there?

    1. Thank you for your praise, Chris. ☺

      I’m indeed very familiar with CloudFlare. I’ve even read their not-very-enlightening Terms of Service.

      CloudFlare is a single-point of failure for a huge chunk of the web with a murky and unclear business model. There is no such thing as «free», but they don’t really admit to it. What do they do with all the public data (articles) and private data (like comment email addresses and who views what)?

      I’m ready to deploy them temporarily with a few clicks in case of a massive attack, but I see no reason to use their services except in an emergency. They impose technical restrictions on websites that I want no part in. I basically find them to be too large of a power house on the web built on trust they’ve done nothing to deserve.

      1. Yeah, I suppose, given how many CloudFlare-protected services I use (such as FastMail), I don’t really have any choice but to trust them as much (or as little) as I trust any other service provider who is ultimately US-based. Google, Linode, Amazon, Digital Ocean… who knows what they’re subject to behind the scenes. Even FastMail’s servers are US-based even though the company is in Melbourne.

        My impression of CloudFlare, based on their words and actions over the last few years, has me seeing them in a generally positive light. Free security, their Galileo project, resistance to partisanship, helping to plug vulnerabilities beyond their own network, etc. In Australia they’re actively resisting some of the monopolising network practices of our big ISPs down there, which is needed if we are to ever have a fair peering system and lower bandwidth costs. So while I say I have little choice but to trust them, I am currently OK with that. I do think they deserve some level of trust given their short history.

        I guess I am not so suspicious of their $0 offering because I just see it as a marketing lead to their first low-cost tier (or now, their pay-for-more-page-rules thing). I don’t think it’s like Facebook where free users are “the product”. The business models are fundamentally different. The criticisms I have seen on how their SSL can be misleading, or how they handle Tor, I all understand – but the business model makes sense to me, assuming their enterprise customers pay through the nose.

Leave a Reply

Your email address will not be published. Be courteous and on-topic. Comments are moderated prior to publication.