joined:Apr 1, 2016
As I'm sure many are aware Cloudflare offers a very simple to implement Hotlink protection as part of its Scrape-Shield features. The feature is included in the free account. But it only protects the most common image file formats.
Supported file extensions: gif, ico, jpg, jpeg, and png.
My site uses SVG extensively to create graphics, as such this feature is completely useless.
Another alternative for hotlink protection is to use workers (serverless JS web-worker located at the cloudflare nodes) to intercept requests as they come in and block the unwanted ones.
Here is the recipe proposed by cloudflare.
The other solution I found is to use Firewall rules. I assume that this is essentially the same or similar to standard hotlink protection but it is customizable.
Here is the basic recipe I used:
http.request.method eq "GET" and http.request.full_uri contains ".svg"
and not (
http.referer contains "www.example.com"
or http.referer contains "example.com"
It blocks all GET requests for any uri containing .svg except for those that have my domain as the referrer or a included on Cloudlfare's white list of bots.
CF White List: [developers.cloudflare.com
Now I realize that this method is not perfect, and is in fact quite restrictive and may prevent people from sharing image through social-media (as neither FB, or Twitter on the white list. oddly Pinterest is?) but I think this approach is better than doing nothing and if issues arise I can always loosen some of the restrictions as time goes on. The nice thing about this method is that it can easily be changed with very little effort.
I just implemented this today no both my websites, I'll be watching it carefully moving forward.
Any feedback would be welcome.