Block Referrer - Blacklist Unauthorized Requests
The feature Block Referrer is now available! This allows the blacklisting of domains that are hotlinking content. Previously, only referrer whitelisting was available, which required all necessary domains related to the Zone to be added. This new feature can be enabled in just a few clicks and can result in significant costs savings if the content is hotlinked on other websites. An unauthorized request will result in an HTTP 403 error and the asset will not be delivered.
Block Referrer explained
Blocking referrers ensures that content is only loaded from authorized domains. Any unauthorized request will result in an HTTP 403 error. Allow Empty Referrer can still be used in the same way as before. Wildcard domains are supported too (e.g. *.example.com). If the feature Block Referrer is enabled, Zone Referrers will be blacklisted and if disabled, Zone Referrers will be whitelisted.
Blacklisting has several advantages over whitelisting:
- A domain can be blacklisted with as little as one Zone Referrer.
- Blacklisting doesn't require an update if assets are loaded from an additional valid domain.
- Whitelisting referrers can be tricky as assets can be loaded from many different domain. This can result in unexpected
403errors.
The process of blocking referrers is very easy. It only takes a few steps:
- Enable Block Referrer.
- Create a Zone Referrer.
- Optionally enable or disable the feature Allow Empty Referrer.
What is the HTTP Referer?
The Referer header (an unfortunate misspelling of referrer) is an HTTP request header with the address of the previous web page linked to the asset requested. In other words, the referrer shows the web page from where the request originated. The referrer is normally correct in a typical scenario where a browser requests an asset. However, it can easily be spoofed. The scheme (http:// or https://) is part of the HTTP Referer header. This request header will typically look like the following:
Referer: https://www.mydomain.dom/about
Examples
The table below shows examples of possible settings and the result (HTTP status codes) with the following columns:
- The HTTP
Refererheader as it is sent in the particular HTTP request. - The Zone Referrer is the list of referrers that has been added to this Zone.
- The features Allow Empty Referrer and Block Referrer as specified in the Zone settings.
- The HTTP status code that will result out of the settings.
| HTTP referer header | Zone Referrer | Allow Empty Referrer | Block Referrer | Status code |
|---|---|---|---|---|
cdn.mydomain.com | *.baddomain.com | enabled or disabled | disabled | 403 |
cdn.mydomain.com | *.mydomain.com | enabled or disabled | disabled | 200 |
cdn.baddomain.com | *.baddomain.com | enabled or disabled | disabled | 200 |
cdn.mydomain.com | *.baddomain.com | enabled or disabled | enabled | 200 |
cdn.baddomain.com | *.baddomain.com | enabled or disabled | enabled | 403 |
cdn.mydomain.com | none | enabled | enabled or disabled | 200 |
| empty | none | enabled | enabled or disabled | 200 |
cdn.mydomain.com | none | disabled | enabled or disabled | 200 |
| empty | none | disabled | enabled or disabled | 403 |
As shown in the table above, as soon as a Zone Referrer is added to a Zone, it will have an impact. It's important to understand the impact of the settings.