Hotlinking

Hotlinking is a term used to describe the practice of embedding a media object on a website which is hosted on a different server. Through hotlinking you can integrate images, videos or even JavaScript on your homepage, in order to increase functionality or attractiveness of the page. If the linking using an embedment code is done without agreement on the part of provider of the image, it is called traffic theft. Synonyms for hotlinking are inline linking, leeching or piggy-backing.

Background

Hotlinking is based on the fact that http does not distinguish between different links and treats all links equally, regardless of whether all the link destinations are hosted on the same server. Thus, different elements can be integrated into a website, even if their content is retrieved from different hosts and appear as a single image in the browser. Once a browser retrieves the content of a website, it will start with the text within the HTML document. There may be inserted links and scripts within this document which will initiate the loading of further files. Whether the browser retrieves images from the root URL, or from external sources, makes no difference in the presentation. The affected website or rather the server on which the site is hosted, benefits from a lower volume of data, because the content of the inline link is loaded from another server. Thus, the website can benefit from shorter loading time in spite of various media content. However, the webmaster is then dependent on the external source having the integrated resource available at all times. Common examples of desired hotlinking are videos from YouTube or other video platforms as well as widgets or inline frames of news sites.

Traffic theft

When hotlinking is not explicitly allowed, it is often regarded as traffic theft. A common example of this is the posting of image links in forums. A user integrates a link to an image of a product that he likes into his forum post. Each time the image is retrieved, an additional load will be put on the server of the link destination. In well-attended forums this may have a huge impact on the traffic of the host, without the owner of the image getting any direct visitors to his site. In many cases, such hotlinking is not done with evil intent. However, there are cases in which iframes are used deliberately to siphon off traffic from other sites. An example of the arbitrary control of traffic can often be found in the image SERPs of Google. The link source specified for an image shown in the results page has the image included only as a hotlink and is not a link to the actual source website.

Methods

Inline linking or hotlinking can be done in different ways:

Webmasters can knowingly control traffic to their servers by outsourcing images or video resources to different servers or subdomains. When accessing the website, the text comes from the domain xyz.com and the images from images.xyz.com.
Images or videos from other hosts are integrated via the src attribute and the HTML element iframe.

Example: The site URL is myexample.com and images are integrated via src ="www.othersite.com/images.jpg.”

Banners are typically not hosted on your own server, but integrated via external websites.

If content delivery networks are used, the integration of media is often done through hotlinking.

Widgets of news websites or meteorological services are often integrated by hotlinking.

Criminal hotlinking

By including hotlinks on your website, there is a risk that users will be directed to malware sites. Visitors won’t be able to recognize at first glance whether the links of the page they visited all lead to trusted targets. It gives scammers the opportunity to tap sensitive user data by <a class="internal bs-internal-link" title="cross-site%20scripting" href="Cross%20Site%20Scripting" data-bs-type="internal_link" data-bs-wikitext="Cross%20Site%20Scripting%7Ccross-site%20scripting">cross-site scripting</a> and phishing or reading the traffic of users. This can be done specifically through integrated JavaScript elements. At the same time, the page which provides the hotlinks does not have direct control over the content of iframes and can only delete them from the source code in extreme cases.

Prevention

Unintended hotlinking can be primarily prevented with security techniques in browsers. If a link in integrated media, for example, directs to an untrusted source, the browser prevents loading or asks the user whether the content should be loaded. Ad blockers can also fulfill this task. There are different options available for webmasters to prevent hotlinking. Unwanted hotlinking can be detected through HTTP referrers. The server can be configured with PHP or in the case of Apache through mod rewrite in such a way that media from your server cannot be included on other sites or a blank document will appear.

Hotlinking and copyrights

The legal situation for integrating external content through hotlinking is not clear at this point, since the source for the integrated medium is indicated on the reference link and the medium itself is not changed. It is often a matter of interpretation whether hotlinking is a copyright infringement or not. According to a judgment by the European Court, hotlinking is allowed if the content was uploaded on the Internet and is freely available to anyone. It becomes a problem if you include images or videos that were not meant for public distribution. If you want to make sure that you can use media from another host on your website, you should first ask the operator of the other website and get a confirmation.

Benefits for usability

Hotlinking can be very beneficial for the usability of a website. If a website receives additional “rich content” through videos or images, it will be more attractive to users, which will increase the length of stay and interaction rate. This in turn can have a positive impact on Google’s evaluation of the site. Since hotlinking reduces the server load and thus increases the loading speed of the page when inserting additional image or video material, it is technologically also of benefit. One drawback, however, is that webmasters have no direct influence on content which is inserted by inline linking. If a video is changed or an image is deleted from the external host, it is no longer available on your site. Thus if you embed media, you have to periodically verify that all resources are still accessible in order to ensure maximum usability for your visitors. Moreover, care must be taken that external content is not used for criminal purposes. Depending on what kind of media is integrated, it may be necessary to adapt the Privacy Policy for your website. Examples of this are integrated Facebook widgets or Like buttons.