How to Use X-Pull

The KeyCDN X-Pull feature allows you to restrict CDN traffic to your origin server. This feature is available for all Pull Zones and can be found within the dashboard by navigating to the advanced features section of your zone. To learn more about example use-cases of X-Pull and why this method works better over IP whitelisting, read our article How to Restrict CDN Traffic to Your Origin Server.

Setting up X-Pull

The following section will step through the process of configuring X-Pull with KeyCDN and your origin server. There are various methods that may be used depending on the origin server and framework you are using. The following shows examples for both Apache and Nginx.

  1. Define your secret key within the advanced features section of the KeyCDN dashboard. This can be anything you like. x-pull-secret-key
  2. For users who are using a PHP-based framework, adding the following configuration to your origin server will return a 405 error on Nginx and a Forbidden error on Apache. This configuration links to the php-fpm processor thus returning an error for all requests that send the X-Pull header and are associated with PHP such as your CDN pages (e.g. or


    Nginx users can add the following to their configuration file.

    location ~ \.php$ {
        if ($http_x_pull ~* "secretkeyname") {
            return 405;
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass unix:/var/run/php5-fpm.sock;
        fastcgi_index index.php;
        include fastcgi_params;


    Apache users can add the following snippet to the .htaccess file. Ensure that you add the snippet at the top of your .htaccess file, otherwise it may not work. The following configuration will return a 403 or Forbidden error for all pages using the CDN URL.

    RewriteEngine On
    RewriteCond %{HTTP:X-Pull} secretkeyname
    RewriteRule \.(html|php)$ - [F]
  3. Use the HTTP Header Check tool to verify if you are receiving the expected response when a request is made with the X-Pull key. http-header-check

Once the steps above are configured on your origin server, be sure to purge your zone cache and try to access a page using your CDN URL. If you receive a 405 error then you have properly configured X-Pull for this use case.


This logic can be modified for various use-cases depending on which framework is being used and the goal you wish to achieve.

For users who may want to distinguish between KeyCDN traffic and other traffic, X-Pull can also be used. For instance, since the X-Pull header is added to HTTP requests, you can use this method to prevent a firewall from blocking the CDN.

Leave A Comment?