Use .htaccess to allow access only from a single HTTP referrer

by Yang Yang on May 30, 2010

Sometimes you want the user to access something (a web page or a downloadable file) only by clicking a link on your own website instead of being able to directly access it by typing in the URL address in the browser address bar. This is achievable by a few lines in .htaccess.

RewriteEngine On
RewriteCond %{HTTP_REFERER} !(www.)?example.com/download-page.php
RewriteRule .* - [F]

Write down the above lines in the .htaccess of the directory that you want users to access only by clicking links on http://www.example.com/download-page.php or http://example.com/download-page.php. Direct access to download stuff from the directory or from any other HTTP referrer will fail.

While this may not be bullet proof as referral information can be faked from the client side, it is a simple solution that should suffice in most cases. For example, this can be used to prevent hot linking from other websites that link directly to something on your website, reducing traffic stealing.

tizkack June 10, 2012 at 12:45 am

very usefull! thank you so much!

waqas October 16, 2012 at 11:23 pm

how to allow .. a referral but deny JPG and other image content?

Comments on this entry are closed.

Previous post:

Next post: