Restrict image and CSS hotlinking of your ASP.NET website

Blocking hotlinking with IIS Url Rewrite

I did not rely how important to restrict hot-linking until one day my friend came to me and told me that he has to pay additional money for the bandwidth on his website.

He was surprised that he reached bandwidth quota limit. It was weird, but after some logging of requests coming to a website we realized that most of the requests were initiated from some other website. That means that someone was linking images and other content on his website.

To be even worse, not only images are used but CSS too, which made the hot-linking website looks very similar like my friend one. A perfect way to perform a fishing scam. Fortunately my friends website did not have any user input (credit card for example) which could be stolen and used except common contact form input fields (email address).

After some time spent looking for an answer how to do that, I found a page where hot-linking restriction is described with only few lines of configuration..

The problem can be solved with URL rewriting configuration snippet I found on the website listed in the references of this article.

			<rule name="Prevent hotlinking">
			  <match url=".*\.(gif|jpg|png|css|js)$"/>
				<add input="{HTTP_REFERER}" pattern="^$" negate="true" />
				<add input="{HTTP_REFERER}" pattern="^http://dejanstojanovic\.net/.*$" negate="true" />
			  <action type="Rewrite" url="/403" />

This simple configurations rewrites the URL of every image request if the request is coming from a different domain than the one in your URL rewrite rule.

This website is using the same configuration, so if you try to add some image from this website to your website, let's say /media/2228/GoogleGraph-Pie.png image will not be loaded. Instead, response of your request will be content of 403 custom error page.

If you access the image URL directly in your browser, it will return image content.

This will solve a lot of possible issues which hot-linking might cause including unnecessary increased bandwidth.


This configuration should be on every website check-list as it provides multiple advantages such as bandwidth saving and prevention of security and legal issues

See how to restrict your website being loaded in an iframe of another wesbite.




Purpose of the code contained in snippets or available for download in this article is solely for learning and demo purposes. Author will not be held responsible for any failure or damages caused due to any other usage.

About the author


Dejan is a passionate Software Architect/Developer. He is highly experienced in .NET programming platform including ASP.NET MVC and WebApi. He likes working on new technologies and exciting challenging projects

CONNECT WITH DEJAN  Loginlinkedin Logintwitter Logingoogleplus Logingoogleplus


read more


read more

Umbraco CMS

read more


read more

Comments for this article