Image Hotlink Protection: What, How, Why?

by

Image hotlinking is the act of linking to a file that is hosted on another site, instead of:

  1. downloading the file
  2. hosting it on your own server
  3. and providing your own link to the image.

Image hotlinking example

Imagine you have two websites, Site A and Site B.

On Site A’s home page, there is an image of a mountain stream. The owner of Site B finds the image on Site A and adds it to Site B by directly linking (or “hotlinking”) to Site A’s URL. The mountain stream image is now displayed on Site B, but it consumes Site A’s bandwidth to do so.

This is considered a very bad practice.

If Site B has a high volume of traffic, Site A’s bandwidth usage can increase significantly, potentially leading to unexpected hosting overage fees. The cost incurred by Site A depends on the size of the image(s) and the number of visitors to Site B.

In cases where Site A has no mechanisms to prevent or limit hotlinking, such as restrictions at the server or CDN level, Site A remains vulnerable to ongoing costs and performance issues. Additionally, this misuse can degrade Site A’s service availability if its bandwidth or server resources are exhausted, potentially affecting legitimate visitors to Site A.

How can QUIC.cloud help?

QUIC.cloud Hotlink Protection restricts access to image requests that do not originate from your website’s domain. It prevents unauthorized external referrers from linking to images on your domain.

This is a CDN security and bandwidth-saving feature which helps to reduce your monthly expenditure.Hotlink protection has no negative side effects. Visitors to your website can continue accessing and viewing images as usual without any disruptions.

Preventing hotlinking helps to maintain your brand integrity and ensures that your images are displayed in the context you intended.Hotlinking can be a form of image theft. By protecting your images, you can reduce the likelihood of others using them without your permission.

Hotlink protection is enabled by default for Free Plan users and is disabled by default for Standard Plan users.

Example with Hotlink Protection OFF

If the Hotlink Protection setting is turned OFF, hot-linked image requests will be honored by the CDN and hosting bandwidth charges will be incurred. Here is an example of what can happen:

This image shows Site B’s home page, displaying the mountain stream image it found on Site A.

You can see from the headers shown here that the image URL is from Site A’s domain, the IP address is a QUIC.cloud IP, and there was a QUIC.cloud cache hit on the image.

Example with Hotlink Protection ON

If the Hotlink Protection setting is turned ON, hot-linked image requests will be rejected by the CDN with a 403 Forbidden response, and will not be displayed on the offending site. Here is an example:

This image shows Site B’s home page, displaying an empty space where they attempted to hotlink the mountain stream image from Site A.

You can see from the headers shown here that QUIC.cloud returned a 403 response and did not serve the image.

How to enable QUIC.cloud Hotlink Protection

Hotlink Protection is found in the Security section of the CDN configuration for a domain. To find the setting, log in to your QUIC.cloud Dashboard and:

  1. Select your domain on the My Domains tab
  2. Navigate to CDN > CDN Config > Security
  3. Scroll down to find the Hotlink Protection setting
  4. Click ON and the setting will be enabled immediately

Troubleshooting

If you’ve turned ON image Hotlink Protection and find that images on your site are still accessible on other websites, it is likely because the images are still being served from the CDN cache. To deal with this, purge the CDN Cache: navigate to CDN > CDN Config > Cache and press the Purge all CDN Cache button.

Before purging the cache, if you want to verify that cache is the issue, you can check the response headers. Look for:

  • the IP address the hotlinked image is being served from
  • the x-qc-pop header which will have the IP address of the CDN node serving the request
  • the x-qc-cache header which will have the value, hit

If all of the above are true, purging the CDN cache should solve the problem.

Other things to try:

  • Wait 10-30 minutes for Hotlink Protection to start working
  • Verify the CDN is configured correctly and that the origin server is operational
  • Verify your server IP is correct in your DNS A records for both www and root domain
  • Verify the CNAME DNS record is set correctly
  • Verify all QUIC.cloud IP addresses are allowlisted
  • Open a ticket

Conclusion

Hotlinking can be a security concern and a drain on your website’s resources or finances. QUIC.cloud’s image hotlink protection offers a simple-yet-effective solution. By preventing unauthorized websites from embedding your images, you can:

  1. Reduce bandwidth and hosting costs.
  2. Protect your content and online brand integrity.
  3. Ensure your images are displayed in the context you intended.
  4. Minimize potential slowdowns caused by hotlinked images.

Whether you’re on the Free Plan or Standard Plan, QUIC.cloud provides an easy solution to safeguard your valuable image assets. With hotlink protection enabled, you can rest assured that your images are working for you, not someone else!

[Editor’s Note: This article was written by Philani Gumbo.]

Leave a Comment