Create a Zonereferrer (Hotlink Protection)

create a zonereferrer

Zonereferrers allow you to restrict HTTP referrers in order to prevent others from embedding your assets on other websites. This feature is also known as hotlink protection. Hotlink protection will save you bandwidth by prohibiting other sites from displaying your images.

  1. Sign in to the KeyCDN dashboard
  2. Click on Zonereferrer from the left navigation bar. Click on New Zonereferrer (blue button)
  3. Define a Referrer of your choice (e.g www.yourwebsite.com)
  4. Choose a zone you want to map the zonereferrer to
  5. Save the Zonereferrer

You can also define wildcard Zonereferrers such as *.example.com to allow all subdomains of a particular root domain to access your zone’s content.

When using Zonereferrers, ensure that you have set all the domains for which you want to allow access to your assets. For a standard setup, you would add the following domains to your list of Zonerefferers:

  • Your Zone URL kxcdn.com (required for loading web fonts e.g. Font Awesome)
  • Your Origin URL (e.g. yourwebsite.com)
  • Your Zonealias if you have one (e.g. cdn.yourwebsite.com).

You can also specify if you want to allow empty referrers or not from your zone’s advanced features section.

keycdn empty referrer

This is set to enabled by default (which will allow empty referrers). However if you want additional protection you may set this to disabled therefore returning a 403 error to all requests without a HTTP referrer field.

Hotlink Protection Verification Example

The following cURL examples can be used to test if your Zonerefferers are properly set up. You can also use our HTTP Check tool to check this.

$ curl -I -H 'Referer: http://www.yourwebsite.com' http://<zonename>-<hexID>.kxcdn.com/path/to/your/asset.jpg
HTTP/1.1 200 OK
Server: keycdn-engine
Date: Fri, 15 Aug 2014 19:14:07 GMT
Content-Type: text/html
Content-Length: 1467
Last-Modified: Wed, 2 Jul 2014 12:57:48 GMT
Connection: keep-alive
ETag: "53c676cc-5bb"
X-Edge-Location: defr
Accept-Ranges: bytes

$ curl -I -H 'Referer: http://www.notyourwebsite.com' http://<zonename>-<hexID>.kxcdn.com/path/to/your/asset.jpg
HTTP/1.1 403 Forbidden
Server: keycdn-engine
Date: Fri, 15 Aug 2014 19:14:16 GMT
Content-Type: text/html
Content-Length: 1596
Connection: keep-alive
ETag: "53f77ee7-63c"