Block Referrer - Blacklist Unauthorized Requests

By Martin Williams
Published on June 18, 2020
Block Referrer - Blacklist Unauthorized Requests

The feature Block Referrer is now available! This allows the blacklisting of domains that are hotlinking content. Previously, only referrer whitelisting was available, which required all necessary domains related to the Zone to be added. This new feature can be enabled in just a few clicks and can result in significant costs savings if the content is hotlinked on other websites. An unauthorized request will result in an HTTP 403 error and the asset will not be delivered.

Block Referrer explained

Blocking referrers ensures that content is only loaded from authorized domains. Any unauthorized request will result in an HTTP 403 error. Allow Empty Referrer can still be used in the same way as before. Wildcard domains are supported too (e.g. *.example.com). If the feature Block Referrer is enabled, Zone Referrers will be blacklisted and if disabled, Zone Referrers will be whitelisted.

Blacklisting has several advantages over whitelisting:

  • A domain can be blacklisted with as little as one Zone Referrer.
  • Blacklisting doesn't require an update if assets are loaded from an additional valid domain.
  • Whitelisting referrers can be tricky as assets can be loaded from many different domain. This can result in unexpected 403 errors.

The process of blocking referrers is very easy. It only takes a few steps:

  1. Enable Block Referrer.
  2. Create a Zone Referrer.
  3. Optionally enable or disable the feature Allow Empty Referrer.

What is the HTTP Referer?

The Referer header (an unfortunate misspelling of referrer) is an HTTP request header with the address of the previous web page linked to the asset requested. In other words, the referrer shows the web page from where the request originated. The referrer is normally correct in a typical scenario where a browser requests an asset. However, it can easily be spoofed. The scheme (http:// or https://) is part of the HTTP Referer header. This request header will typically look like the following:

Referer: https://www.mydomain.dom/about

Examples

The table below shows examples of possible settings and the result (HTTP status codes) with the following columns:

  • The HTTP Referer header as it is sent in the particular HTTP request.
  • The Zone Referrer is the list of referrers that has been added to this Zone.
  • The features Allow Empty Referrer and Block Referrer as specified in the Zone settings.
  • The HTTP status code that will result out of the settings.
HTTP referer headerZone ReferrerAllow Empty ReferrerBlock ReferrerStatus code
cdn.mydomain.com*.baddomain.comenabled or disableddisabled403
cdn.mydomain.com*.mydomain.comenabled or disableddisabled200
cdn.baddomain.com*.baddomain.comenabled or disableddisabled200
cdn.mydomain.com*.baddomain.comenabled or disabledenabled200
cdn.baddomain.com*.baddomain.comenabled or disabledenabled403
cdn.mydomain.comnoneenabledenabled or disabled200
emptynoneenabledenabled or disabled200
cdn.mydomain.comnonedisabledenabled or disabled200
emptynonedisabledenabled or disabled403

As shown in the table above, as soon as a Zone Referrer is added to a Zone, it will have an impact. It's important to understand the impact of the settings.

  • Share

Supercharge your content delivery 🚀

Try KeyCDN with a free 14 day trial, no credit card required.

Get started

Comments

Comment policy: Comments are welcomed and encouraged. However, all comments are manually moderated and those deemed to be spam or solely promotional in nature will be deleted.
  • **bold**
  • `code`
  • ```block```
KeyCDN uses cookies to make its website easier to use. Learn more about cookies.