Avoiding Hotlinking

Although most browsers are evolving towards increased privacy by applying stricter default regarding the Referrer-Policy, basic protection against hotlinking can still be achieved.

To do this, you just need to define the TCDN-Avoid-Hotlink-URL header with the path to the resource you want to serve as a placeholder.

For example, if you want to prevent hotlinking of images located in the /wiki/content path of your domain www.example.com, the VCL code to insert in the configuration would be similar to:

sub vcl_recv {
    if (req.http.host == "www.example.com") {
        if(req.url ~ "^/wiki/contenido" && urlplus.get_extension() ~ "^(jpg|jpeg|png|gif|svg|mp4)$") {
            set req.http.TCDN-Avoid-Hotlink-URL = "/img/hotlink-placeholder.png";
        }
    }
}

As always, you can define it in a new vcl_recv block or within the existing one.

Now, requests against those resources and under those conditions that have a referer different from the current site's domain will instead serve the placeholder /img/hotlink-placeholder.png. Defining a placeholder is mandatory.

You can add any necessary conditions to the previous code. For example, if the domain www.example2.com is allowed to hotlink without any restrictions, the code would look like this:

sub vcl_recv {
    if (req.http.host == "www.example.com") {
        if(
                req.url ~ "^/wiki/contenido" &&
                urlplus.get_extension() ~ "^(jpg|jpeg|png|gif|svg|mp4)$" &&
                req.http.referer !~ "^https?://www.example2.com"
          ) {
            set req.http.TCDN-Avoid-Hotlink-URL = "/img/hotlink-placeholder.png";
        }
    }
}c