Your comments

Both above scenarios would work, but a blacklist would be preferable. Or whatever service is generating the preview, don't follow 301/302 redirects so anything that is behind a login would not render an image.