In order to prevent bandwidth leeching, you can use our regular HTTP Referrer protection and explicitly allow certain referrers to access your CDN assets. However, if aside from explicit allowance of white referrers you need to allow a blank one as well, you can still do this while keeping other referrers blocked. You can do this trick as illustrated in the example below where we allow access to referrers “d.com” and “dom.com”:

NGINX Configuration block

location / {
          if ($http_referer !~* (^$|d.com$|dom.com$)) {
          rewrite ^ http://blackhole.com permanent;
          }

CURL example with allowed referrer

# curl -I http://foo.bar.netdna-cdn.com/file.png --referer http://dom.com
HTTP/1.1 200 OK
Date: Thu, 13 Mar 2014 17:23:55 GMT
Content-Type: image/png
Content-Length: 123456
Connection: keep-alive
Last-Modified: Wed, 11 Sep 2013 18:19:58 GMT
Cache-Control: max-age=604800
Vary: Accept-Encoding
Access-Control-Allow-Origin: *
Expires: Thu, 20 Mar 2014 17:23:24 GMT
Server: NetDNA-cache/2.2
X-Cache: HIT
Accept-Ranges: bytes

CURL example with blank referrer

Normally, with HTTP Referrer protection you would expect to have 403 response code when blank referrer is used, however, we bypased that scenario already so, this is the response with our setup:

curl -I http://foo.bar.netdna-cdn.com/file.png
HTTP/1.1 200 OK
Date: Thu, 13 Mar 2014 17:32:41 GMT
Content-Type: image/png
Content-Length: 123456
Connection: keep-alive
Last-Modified: Wed, 11 Sep 2013 18:19:58 GMT
Cache-Control: max-age=604800
Vary: Accept-Encoding
Access-Control-Allow-Origin: *
Expires: Thu, 20 Mar 2014 17:23:24 GMT
Server: NetDNA-cache/2.2
X-Cache: HIT
Accept-Ranges: bytes

CURL example with disallowed referrer

What did we block then? Everything else:

curl -I http://foo.bar.netdna-cdn.com/file.png --referer http://other-domain.com
HTTP/1.1 301 Moved Permanently
Date: Thu, 13 Mar 2014 17:35:02 GMT
Content-Type: text/html
Content-Length: 185
Connection: keep-alive
Location: http://blackhole.com
Server: NetDNA-cache/2.2