How to set up hotlinking protection?

What is hotlinking?

Hotlinking (also known as inline linking, or leeching) is a practice where one website uses an object (usually an image or a video) that is linked elsewhere on the internet on an unrelated site. 

When a webpage is loaded, typically all the resources (images, videos, scripts, stylesheets, etc.) are downloaded from the same server (or associated CDN) where the webpage is hosted. However, when hotlinking is used, instead of storing a copy of the image or video on the website's own server, the webpage references the location of the file on a different server (or that site's unrelated CDN). Every time the webpage is loaded, the file is downloaded from the other server.

This can lead to bandwidth theft, where every time the web page is loaded the external URL is also called (to potentially your content)as this can lead to higher costs for the owner of the server where the file is hosted, as they often have to pay for their bandwidth usage for the content on other sites that aren't their target audience. Example: if someone is hotlinking your video on their site, each time someone plays it you'd need to pay for the bandwidth used. 

The other main issue hotlinking can present is a lack of control, the site that is leeching the content has no way to stop the original host from changing the content. We can often identify that this is going on by looking at the referral header that is sent with most requests to the CDN. 

What is a referral header?

The "Referer" header is a part of the request sent by your browser to the web server when you navigate the web. It identifies the address (URL) of the webpage that linked to the resource being requested.

For example, if you're on a webpage at and you click a link to, your browser sends an HTTP request to to get page2.html. In this request, your browser includes a Referer header that looks something like this: Referer:

This tells the server at that you were referred to page2.html by

How can help you mitigate content misuse with referral headers?

By default, the CDN platform will serve any request from any referral header, but under the Security tab in your Pull Zone or Video Library, you can control this. You can specify domains that are allowed to show your content (this is useful, as often the CDN uses a different hostname to serve the content) and domains that aren't allowed to show your content. 

Inside a Pull Zone, this can be done in the Security tab:

Blocked Referrers is where you can insert a list of hostnames that aren't allowed to serve content from your Pull Zone/Video Library (any referral headers that are on this list are served a 403). You can also work this the other way round by using the Allowed Referrers option, where you can enter hostnames that we will allow requests from and then we will block any referred requests that don't come from these domains. Please be aware this is a choice of one or the other, we don't allow using both Blocked and Allowed.

N.B: Please ensure you enter just a hostname here, removing any http/https from the beginning of the URL and any slates or paths at the end. For example:, but would work here. 

In addition, we also provide this option further down the page for Stream Video Libraries:

In some cases, a referral header is not sent at all and we can block requests that don't send this however this can cause issues with some clients like Apple based clients who often don't send referral headers. 



Table of Contents

Was this article helpful?
4 out of 4 found this helpful