Prevent hotlinking

Hello all,

I tried to use the following code to prevent hotlinking. But it blockes
myself as well, anyone got any idea?

location ~* (.jpg|.png|.css)$ {
valid_referers blocked *;
if ($invalid_referer) {
return 404;




“valid_referers none blocked * etc”

perhaps you’re not sending a referrer header. Some “internet security
suites” do that for “privacy” and I hate them. or malfunctioning
browsers or some browsers include that option now.

that’s the only thing I see wrong there.


Thanks. I tried that. But it’s still not working. I am using wordpress.
Don’t know what referrer header wordpress send.


Your browser will almost always send referrers. As mentioned,
sometimes a security suite will block referrers. Sometimes flash won’t
send referrers when it makes requests (sometimes it will). You just
want to also allow blank referrers in addition to the “correct”

Its not Wordpress sending the header it’s your browser sending the
header (unless this is wordpress fetching images using some plugin and
then youll have to modify the script to send a referer header (I
believe it is spelled wrong, technically)

Flash players may or may not send referrers. It seems to vary based on
the web browser used. Documentation for flash would lead me to believe
that it never sends referrers, but practical experience shows that
this is not true, it does sometimes send headers, and sometimes not,
in a mostly unpredictable way.

Possibly could be based on the player. I’m sure you can code in the

And video embedding is infamous for not sending info. At least windows
media player type embedding. Not sure if flash players are better.

Flash has surprisingly little flexibility with determining what
headers are sent to the server when you request files. It does what it
does and if you don’t like it, tough. That’s the conclusion I came to
in researching to design a couple flash applications, as well as to
lock down video files for a project I was working on.

Sometimes this is for security purposes. You aren’t supposed to be
able to request files from a different domain than the SWF was sourced
from (unless a crossdomain.xml file on that domain specifically allows
it). I’ve noticed that although this is supposed to be a hard and fast
rule, some video players are able to source their video files (.flv)
from sites other than where the SWF was sourced, even if
crossdomain.xml doesn’t allow it. This is probably a bug or the result
of some arcane Flash behaviour, rather than something the designer of
the SWF can decide upon.

Either way, you need to be prepared, in flash, for the likelihood that
it will either send the proper referrers, or no referrers whatsoever,
and you really have no control over which will be the case.

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs