Hotlink Protection

Prevent unauthorized websites from embedding your content.

Overview

Hotlinking occurs when other websites embed your images, videos, or files directly, using your bandwidth without permission. Hotlink protection blocks these requests based on the referrer header.

How It Works

When a browser requests a resource, it sends a Referer header indicating where the request came from:

Referer: https://other-site.com/their-page

Hotlink protection checks this header:

  • Allowed referrer: Request proceeds normally
  • Blocked referrer: Returns 403 Forbidden

Enabling Hotlink Protection

From Dashboard

  1. Go to your zone settings
  2. Click "Security" tab
  3. Enable "Hotlink Protection"
  4. Add allowed domains
  5. Save changes

Configuration Options

Allowed Domains: Domains that CAN embed your content:

yourdomain.com
www.yourdomain.com
subdomain.yourdomain.com
partner-site.com

Block Empty Referrer:

  • Enabled: Block requests with no referrer header
  • Disabled: Allow requests with no referrer (default)

{warning} Blocking empty referrers can break direct links and some browser features.

Allow List Patterns

Exact Domain

example.com          # Only example.com
www.example.com      # Only www.example.com

Wildcard Subdomain

*.example.com        # All subdomains of example.com

Multiple Domains

Add each domain on a separate line:

yourdomain.com
www.yourdomain.com
partner-site.com
cdn.yourdomain.com

File Type Filtering

Optionally restrict hotlink protection to specific file types:

Images Only

jpg, jpeg, png, gif, webp, svg

Media Files

mp4, webm, mp3, ogg

Documents

pdf, doc, docx, xls, xlsx

Leave empty to protect all file types.

Common Configurations

Protect Images Only

Allow your site and search engines to display images:

Allowed domains:

yourdomain.com
*.yourdomain.com
images.google.com
www.google.com
www.bing.com

File types:

jpg, jpeg, png, gif, webp

Strict Protection

Only allow your exact domains:

Allowed domains:

www.yourdomain.com
yourdomain.com

Block empty referrer: Enabled

File types: All

Partner Access

Allow specific partners to embed your content:

Allowed domains:

yourdomain.com
partner1.com
partner2.com
affiliates.partner3.com

Testing Hotlink Protection

Test from Command Line

Simulate a request from another domain:

# Should be blocked
curl -H "Referer: https://bad-site.com/" \
  https://your-zone.cdn.nordiccdn.com/image.jpg

# Should be allowed
curl -H "Referer: https://yourdomain.com/" \
  https://your-zone.cdn.nordiccdn.com/image.jpg

Test from Browser

  1. Open developer tools
  2. Modify the referrer header in a request
  3. Check the response status

Limitations

Referrer Can Be Spoofed

Determined attackers can fake the referrer header. Hotlink protection stops casual hotlinking, not determined scraping.

Empty Referrers

These requests have no referrer:

  • Direct browser navigation
  • HTTPS → HTTP requests
  • Browser privacy settings
  • Some apps and tools

CORS Interaction

If you enable CORS (Access-Control-Allow-Origin: *), browsers may strip referrers. Ensure your CORS and hotlink settings are compatible.

Troubleshooting

Legitimate Requests Blocked

If your own site is blocked:

  1. Add your domain to the allow list
  2. Check for www vs non-www mismatch
  3. Verify referrer isn't being stripped

Social Media Not Working

Add social media domains if you want previews to work:

facebook.com
www.facebook.com
twitter.com
linkedin.com
pinterest.com

Search Engines Not Indexing Images

Add search engine domains:

images.google.com
www.google.com
www.bing.com
www.yahoo.com

Best Practices

1. Start Permissive

Begin with a broader allow list and tighten as needed.

2. Include All Your Domains

Add all variations:

  • With and without www
  • All subdomains
  • CDN domains
  • Staging domains

3. Don't Block Empty Referrers

Unless you have a specific reason, allow empty referrers to avoid breaking legitimate use cases.

4. Monitor 403 Responses

Check your logs for blocked requests to identify false positives.