Setting a Hotlinking Policy - protect your CDN content
How it works
Let's assume that there is a web page http://www.mycompany.com/page.html and that on that web page there is a HTML img tag with a CDN source e.g.:
<img src="http://12345.r.cdnsun.net/image.jpeg" />
When a viewer views the web page then the viewer's browser requests the image asset from the CDN. The browser includes to the request a so called HTTP referer header. In this example it is http://www.mycompany.com/page.html. With Hotlinking Policy you can specify what domains (in this example it is www.mycompany.com) are allowed to request your CDN content. Typical usage of Hotlinking Policy is to allow only your own domains and block all other domains so your CDN assets will work only on your own domains and will not work on all other domains. Please note that Hotlinking Policy does not protect your CDN content from unwanted downloads because requests not containing HTTP referer header are never blocked. If you want to protect your content from unwanted downloads then you can use URL signing.
How to enable Hotlinking Policy
- Go to the Services/Settings page.
- Set the Hotlinking Policy option to:
- None - any domain can access the CDN service.
- Allow by default - all domains except domains specified in the Domains option can access the CDN service.
- Block by default - only domains from domains specified in the Domains option can access the CDN service.
- Fill in Domains related to the Policy above.
- Click on the Update Service button.
- That's all.
Please note that the domain names have to be exact, wildcards are not supported. For example www.example.com and domain.com are supported but *.example.com is not supported.
Let's say that you want to allow access from www.mycompany.com only. To achieve it you have to select Disable by default and then fill in www.mycompany.com. Please note that if you select "Allow by default" and then fill in "www.mycompany.com" then you allow access from all domains except "www.mycompany.com".
Streaming CDN services
Please note that for streaming CDN services (CDN Video, CDN Video Push and CDN Live) the Hotlinking Policy is supported only with RTMP protocol. It is not supported with HLS, RTSP, HDS and MSS protocols. Please refer to Supported CDN streaming protocols and formats for more details.
How to test Hotlinking Policy
You can use the --referer option of a command line curl.
- curl --head --referer http://allowed-domain.com http://12345.r.cdnsun.net should return 200 OK,
- curl --head --referer http://blocked-domain.com http://12345.r.cdnsun.net should return 403 Forbidden.
You can use the --pageUrl option of a command line rtmpdump.
- rtmpdump --pageUrl http://allowed-domain.com rtmp://12345.r.cdnsun.net/12345/_definst_/mp4:12345/mystream should start dumping your live stream,
- curl --head --referer http://blocked-domain.com rtmp://12345.r.cdnsun.net/12345/_definst_/mp4:12345/mystream should not start dumping your live stream.
- When debugging a hotlinking protected CDN service with command line curl then please make sure that curl's --referer option is set to an allowed URL, e.g., http://www.mycompany.com.
- When debugging a hotlinking protected CDN service with command line rtmpdump then please make sure that rtmpudmp's --pageUrl option is set to an allowed URL, e.g., http://www.mycompany.com.