Many web sites suffer from others directly linking to their image, video and other content. This practice is called often called leeching, hot-linking, or inline-linking and causes wasted bandwidth and increased server load to the victim web site. Mike Volodarsky wrote a ASP.NET module that prevents hot linking. It can be used on IIS5 (Windows 2000/XP), IIS6 (Windows Server 2003), and IIS7 (Windows Vista / Longhorn Server).

How does it work?

When a browser follows a hyperlink, or downloads embedded content, from an existing web page, it includes a REFERER header in the request to specify the original url from which this request was made.

This is a useful feature for tracking referrals from other sites, or the path someone takes through your own website. However, it can also be used to identify leeches – websites that point to your own content that you don’t want referred to outside of your own web site.

When a request comes to your web site, the module checks the REFERER header, and if it indicates that the request is from another web site, it rejects the request.

You can specify what content on your website should be protected, and what websites / urls are allowed to refer to it. So, in the end, your website and your friend sites see your images correctly and leeching websites are presented with alternative content or error status code.

Mapping IIS content types to ASP.NET

IIS has built in support for serving static files like JPG images, and launching CGI programs. It also provides extensibility for plugging in additional components, called ISAPI extensions, to handle additional resource types. ASP is an ISAPI extension that processes ASP scripts, and ASP.NET is another ISAPI extension that provides processing for ASPX pages and a few other content types.

However, ASP.NET also provides generic services, such as the popular Forms Authentication, authorization, output caching, or custom ones like LeechGuard that are not specific to ASPX pages. Unfortunately, it can only provide these services to content types that are registered to it in IIS scriptmap configuration. Since JPG images are served by IIS, they are not registered to ASP.NET and therefore unable to benefit from ASP.NET services.

With more and more people wanting to use the ASP.NET framework to develop general web infrastructure for IIS, we have tried to solve this problem over the past few releases of both products … culminating in the ASP.NET Integrated pipeline in IIS7.

So, if you want to use ASP.NET to provide services for non-ASP.NET content types, here are your options:

1. IIS5 + ASP.NET 1.1 and 2.0: Map the desired content type to ASP.NET. ASP.NET can manage serving static files on its own, but does not support CGI, ASP or other ISAPI extensions, so if you use those, you are out of luck.
2. IIS6 + ASP.NET 2.0: Create a “wildcard mapping” for ASP.NET, passing all requests to ASP.NET. ASP.NET in turn will handle all extensions it knows about, and pass the rest back to IIS to be handled by IIS / other ISAPI extensions. This is great, because it lets you provide ASP.NET processing while continuing to use IIS and other IIS ISAPI extensions to handle their own content.
3. IIS7 + ASP.NET 2.0 Integrated pipeline. The ultimate answer – ASP.NET extensibility model can now to be used to develop IIS components, regardless of who provides the handling of the request.

To download the module and view installation/configuration information, visit:
http://mvolo.com/blogs/serverside/archive/2006/11/10/Stopping-hot_2D00_linking-with-IIS-and-ASP.NET.aspx