Find answers, guides, and tutorials to supercharge your content delivery.

Create a Zone Referrer (Hotlink Protection)

Updated on February 12, 2020
Create a Zone Referrer (Hotlink Protection)

Zone Referrers allow you to restrict HTTP referrers in order to prevent your content from being embedded on other websites. This feature is also known as hotlink protection. Hotlink protection will save you bandwidth by prohibiting other sites from displaying your images.

  1. Log in to the KeyCDN dashboard.
  2. In the left navigation sidebar click Zone Referrers.
  3. Click Add Zone Referrer.
  4. Define the Zone Referrer that you want to be an allowed HTTP referrer (e.g
  5. Choose the Zone that you want to map the Zone Referrer to.
  6. Click Save.

When using Zone Referrers, ensure that you have set all the domains that you want to allow access to your content. For a standard setup, you would at least add the following to your list of Zone Referrers:

  • Origin URL (e.g.
  • Zone URL (e.g.
  • Zone Alias (e.g.

Wildcard Zone Referrers can be defined, such as *, to allow all subdomains of a particular root domain. A wildcard Zone Referrer does not cover the root domain (e.g.

You can also specify if you want to allow empty HTTP referrers or not from your Zone settings. This is done through the Allow Empty Referrer setting. By default it is set to enabled (which will allow empty referrers). However, if you want additional protection you may set this to disabled. This will return a 403 error to all requests that have an empty HTTP referrer.

The following curl examples can be used to test if your Zone Referrers are set up properly. You can also use our HTTP Header Checker tool to check this.

curl -I -H 'Referer:' https://<zonename>-<hexid>
HTTP/2 200
server: keycdn-engine
date: Wed, 12 Feb 2020 02:16:13 GMT
content-type: image/jpeg
content-length: 123611
last-modified: Fri, 31 Jan 2020 20:16:17 GMT
etag: "5e348b11-1e2db"
cache-control: max-age=604800
expires: Wed, 19 Feb 2020 02:16:13 GMT
x-edge-location: ussf
access-control-allow-origin: *
accept-ranges: bytes
curl -I -H 'Referer:' https://<zonename>-<hexid>
HTTP/2 403
server: keycdn-engine
date: Wed, 12 Feb 2020 02:16:17 GMT
content-type: text/html
content-length: 1439
vary: Accept-Encoding
etag: "5b44692a-59f"
KeyCDN uses cookies to make its website easier to use. Learn more