Create a Zone Referrer (Hotlink Protection)
Zone Referrers allow you to restrict HTTP referrers in order to prevent your content from being embedded on other websites. This feature is also known as hotlink protection. Hotlink protection will save you bandwidth by prohibiting other sites from displaying your images.
- Log in to the KeyCDN dashboard.
- In the left navigation sidebar click Zone Referrers.
- Click Add Zone Referrer.
- Define the Zone Referrer that you want to be an allowed HTTP referrer (e.g
- Choose the Zone that you want to map the Zone Referrer to.
- Click Save.
When using Zone Referrers, ensure that you have set all the domains that you want to allow access to your content. For a standard setup, you would at least add the following to your list of Zone Referrers:
- Origin URL (e.g.
- Zone URL (e.g.
- Zone Alias (e.g.
Wildcard Zone Referrers can be defined, such as
*.example.com, to allow all subdomains of a particular root domain. A wildcard Zone Referrer does not cover the root domain (e.g.
You can also specify if you want to allow empty HTTP referrers or not from your Zone settings. This is done through the Allow Empty Referrer setting. By default it is set to
enabled (which will allow empty referrers). However, if you want additional protection you may set this to
disabled. This will return a
403 error to all requests that have an empty HTTP referrer.
Hotlink protection verification example
The following curl examples can be used to test if your Zone Referrers are set up properly. You can also use our HTTP Header Checker tool to check this.
curl -I -H 'Referer: https://www.yourwebsite.com' https://<zonename>-<hexid>.kxcdn.com/path/to/your/asset.jpg HTTP/2 200 server: keycdn-engine date: Wed, 12 Feb 2020 02:16:13 GMT content-type: image/jpeg content-length: 123611 last-modified: Fri, 31 Jan 2020 20:16:17 GMT etag: "5e348b11-1e2db" cache-control: max-age=604800 expires: Wed, 19 Feb 2020 02:16:13 GMT x-edge-location: ussf access-control-allow-origin: * accept-ranges: bytes
curl -I -H 'Referer: https://www.notyourwebsite.com' https://<zonename>-<hexid>.kxcdn.com/path/to/your/asset.jpg HTTP/2 403 server: keycdn-engine date: Wed, 12 Feb 2020 02:16:17 GMT content-type: text/html content-length: 1439 vary: Accept-Encoding etag: "5b44692a-59f"