> ## Documentation Index
> Fetch the complete documentation index at: https://help.noxity.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Hotlink Protection

> Stop other sites from embedding your images and consuming your bandwidth. Per-extension allowlist, per-domain referrer rules.

Hotlink Protection blocks requests for files on your site that come from a referrer you didn't approve. The classic case: someone pastes `<img src="https://yoursite.com/photo.jpg">` into their forum post, every visitor to that forum loads the image from your bandwidth. Hotlink Protection serves them a 403 instead.

Open it from cPanel home → **Security** → **Hotlink Protection**.

<Frame caption="Hotlink Protection toggle and the allowlist editor">
  <img src="https://mintlify.s3.us-west-1.amazonaws.com/noxity/images/cpanel/security-settings/hotlink-protection/listing-light.png" alt="Hotlink Protection page with toggle, URL allowlist, and extension list" className="block dark:hidden" />

  <img src="https://mintlify.s3.us-west-1.amazonaws.com/noxity/images/cpanel/security-settings/hotlink-protection/listing-dark.png" alt="Hotlink Protection page with toggle, URL allowlist, and extension list" className="hidden dark:block" />
</Frame>

## Turn it on

<Steps>
  <Step title="Review the URLs to allow">
    cPanel pre-fills the **URLs to allow access** box with the variants of your own domain (`http://`, `https://`, `www.` and bare). Anything in this list is treated as a same-site referrer; requests with these referrers go through.

    Add partner sites if you legitimately want them to embed your media. Strip back to just your own domains if you don't want anyone embedding.
  </Step>

  <Step title="Review the file extensions">
    The default list covers images, video, and audio (`jpg jpeg gif png bmp mp3 wav avi mov mpg mpeg`). Add or remove based on what you actually serve. Use lowercase, no leading dot.
  </Step>

  <Step title="Choose what blocked requests get">
    Two options:

    * **Allow direct requests (recommended on).** Browsers visiting the file URL directly (no referrer) still see the file. Without this, typing the image URL into a browser would also fail.
    * **Redirect URL.** Optional. If you want hotlinkers to land on a specific page (your own logo, a "stop hotlinking" notice, the homepage), put the URL here.
  </Step>

  <Step title="Click Submit">
    Hotlink Protection writes the rules to `.htaccess` and the block is in effect immediately.
  </Step>
</Steps>

## Disable it

The same page has a **Disable** button. Click it. The `.htaccess` rules are removed.

## What gets blocked, exactly

Apache reads the `Referer` HTTP header on every request. Hotlink Protection compares the value against your allowlist:

* Empty referer (direct browser visit, image preloader, some tools) is allowed if **Allow direct requests** is on, blocked otherwise.
* Referer matches an entry in **URLs to allow access** is allowed.
* Anything else is blocked or redirected.

Modern browsers strip the `Referer` header in some cross-origin contexts (especially with `Referrer-Policy: no-referrer`). Those requests look like direct visits. Hotlink Protection can't tell them apart.

## When not to use it

* **API or CDN endpoints.** If you serve files to a JavaScript app on a different origin or a CDN that fetches without referer, hotlink protection blocks them. Either allowlist the origin, or skip it.
* **OG image previews.** Slack, Discord, and X scrape OpenGraph images server-side, often without a referer. With **Allow direct requests** on, this works. Off, your link previews are blank.
* **Image search.** Google Image Search shows thumbnails and links to the source. With hotlink protection on, the thumbnail still loads (Google caches it) but the link click can fail if Google strips the referer. For SEO-sensitive sites, allowlist `*.google.com` and `*.googleusercontent.com`.

## Common issues

<AccordionGroup>
  <Accordion title="My own site can't load its own images">
    Cloudflare or another CDN sits between visitor and origin and forwards a referer that doesn't match your allowlist. Add the CDN's domain to **URLs to allow access**, or add Cloudflare's `*.workers.dev` etc. as needed.
  </Accordion>

  <Accordion title="Images load fine but PDFs return 403">
    PDF wasn't in the extension list when you saved. Add `pdf`, save again.
  </Accordion>

  <Accordion title="Email signature image breaks">
    Mail clients fetch images server-side, often with no referer or a strange one. Either turn **Allow direct requests** on, or skip hotlink protection for that one image's path.
  </Accordion>

  <Accordion title="Hotlink protection looks on, but bandwidth still spikes">
    Hotlinkers may have downloaded the file and re-hosted it on their side, in which case there's nothing to block. Or the bandwidth is going to legitimate visitors and you've just gotten popular. Check raw access logs in [Logs](/web-hosting/cpanel/metrics-analytics/logs/raw-access/raw-access-example).
  </Accordion>
</AccordionGroup>

## Need a hand?

<CardGroup cols={2}>
  <Card title="Open a ticket" icon="life-ring" href="https://members.noxity.io/submitticket.php">
    Best for anything that needs an account check or a config change on our end.
  </Card>

  <Card title="Live chat" icon="messages" href="https://noxity.io/contact">
    Faster for quick questions during business hours.
  </Card>
</CardGroup>