Select Page

Prevent From Hotlinking Your Resources with Limiting Access by Referer Feature

Prevent From Hotlinking Your Resources with Limiting Access by Referer Feature

Access to your CDN zone can be limited by HTTP Referer

The HTTP referer is an optional HTTP header field. It identifies the URL of the website linked to the resource that has been requested.

More information about the HTTP referer you can find here: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referer

This feature can be enabled easily through Universal Control Panel and can result in significant cost savings if your assets are hotlinked on other websites. An unauthorized request will result in an HTTP 403 error and the resource will not be delivered.

To enable access limits based on the referer, follow the steps outlined below:

  1. Log in to the Universal CDN Control Panel at my.ucdn.com.
  2. Navigate to the My Zones tab located in the top left corner.
  3. Click on the cogwheel icon next to the CDN zone which access will be restricted.
  4. Navigate to the Limit Access tab.

Limit Access By Referer Explained

A regular expression (shortened as regex, or regexp) is a sequence of characters that define a search pattern. Mainly, such patterns are used by string-searching or string-matching algorithms. In our case, we use it for input validation considering your domain name as an identification string.

We use Perl-compatible regular expressions (PCRE) syntax.

This is a quick-reference guide of Perl regex with some examples that might be useful for setting up the referer limit in the Universal CDN Control Panel.

The following 11 characters (often called “metacharacters”) are with special meanings in Perl regex:

Character Meaning
caret ( ^ ) beginning of string
dollar sign ( $ ) end of string
backslash ( \ ) quote or special
period or dot ( . ) any character except newline
vertical bar ( |     ) alternative
question mark ( ? ) match 0 or 1 time; or: shortest match
asterisk ( * ) match 0 or more times
plus sign ( + ) match 1 or more times
parenthesis (     ) grouping; “storing”
square bracket [ ] set of characters
curly braces { } repetition modifier

 

The regular expression syntax summary and classes are described here:

Perl-compatible regular expressions (PCRE) syntax and here Perl 5 version 32.0 documentation.

The metacharacters mentioned above must be escaped with a backslash ( \ ) to be taken literally.

Let’s review the syntax of the following examples and assume that your domain name is example.com.

Example I:

^https:\/\/video\.example\.com(\/.*|$) 

^https:\/\/ – this part of the expression says that the begging of the string must contain the specified characters in the same order and no exception is allowed.

In the example above the specified string at the beginning is https:// (strings beginning with http:// are not allowed in the example above.

To allow strings beginning with https:// or with http://, the regex must start with ^http(s?):\/\/).

Since forward-slash ( / ) is used in Perl as a pattern delimiter it requires adding the backslash ( \ ) character right before it otherwise, the forward-slash ( / ) character will not be taken literally.

video\.example\.com – this part of the expression says that the resources can be accessed only by a subdomain in which the string of characters must contain the specified once in the same order (no exceptions are allowed), and in case the previous conditions above are met. In this case, the specified string of characters is video.example.com.

Since the period or dot sign ( . ) is one of the special characters that are reserved for special use, the backslash ( \ ) character must be included right before the dot ( . ). Otherwise, the dot character will not be taken literally (e.g video\.example\.com).

(\/.*|$) – this part of the expression allows strings that only contain any characters after the forward-slash      ( / ) (if there are any), except the new line, and in case, the previous conditions above are met.

If there aren’t any characters after the forward-slash ( / ) the access to the resources will be allowed in case the previous conditions are met.

Example II:

^http(s?):\/\/(.+\.)*example\.com(\/.*|$)

^http(s?):\/\/ – this part of the expression says that the beginning of the string must contain the specified characters in the same order and no exception is allowed.

In the example above the specified string of characters at the beginning must be http:// or https://. Forward slash ( / ) is used in Perl as a pattern delimiter; it requires adding the backslash ( \ ) character right before it otherwise, the forward-slash ( / ) character will not be taken literally.

(.+\.)* – this part of the expression says that subdomains are allowed but they must be a part of the domain name specified in the consequent expression (in the example above they must be part of example.com, (e.g video.example.com).

example\.com – this part of the expression says that the domain must contain the specified string of characters in the same order (no exceptions are allowed), and only in case the previous conditions are met. In the example above, the specified string must be example.com.

Since the period or dot ( . ) is one of the special characters that are reserved for special use, the backslash ( \ ) character must be included right before the dot ( . ) otherwise, the dot character will not be taken literally.

(\/.*|$) – this part of the expression allows strings that contain any characters after the forward-slash ( / ) (if there are any), except the newline, in case the previous conditions are met.

If there aren’t any characters after the forward-slash ( / ) the access to the resources will be allowed in case the previous conditions are met.

You can apply the filter to the Origin header in case of an empty or missing Referer header by checking the box next to “In case of missing Referer header, apply the filter to the Origin Header”.

After making any changes in the Universal CDN Control Panel do not forget to click on the Save Changes button.

If not registered, we provide fast, reliable, and feature-rich Content Delivery Network services, as well as an intuitive, easy-to-use Control Panel.

Register Now! Get your $10 Bonus and test Universal CDN services!

 103 total views,  1 views today

About The Author

Martin Bostandzhiev

CDN Engineer

March 2021
M T W T F S S
1234567
891011121314
15161718192021
22232425262728
293031  

Social Networks

Follows

Pin It on Pinterest

Share This