A popular MaxCDN content security feature is the HTTP Referer Whitelist, a hotlinking prevention tool. It provides an adequate amount of content security in most cases, but when referers differ by cache location, you may need more control over whitelisting referers than the HTTP Referer Whitelist offers.


Image: The HTTP Referer Whitelist feature in the MaxCDN Control Panel. Pull Zones -> Manage Security

EdgeRules, located in your MaxCDN Control Panel, gives you more control over whitelisting referers to your CDN content than the HTTP Referer Whitelist feature. It lets you apply a unique referer list to different cache locations and contains access to a directive called “valid_referers.” With this you can define a list of referers (domains) selectively, then block any unauthorized referers.

Below we’ll go over the process of overriding valid referers specified in your HTTP Referer Whitelist to help you obtain more control over content accessibility. First though, let’s go over some typical uses case for needing to do this.

Important note
By using “WHITELISTED REFERERS” in EdgeRules, you will override any existing referers in the HTTP Referer Whitelist feature.

Use Cases

In most cases, MaxCDN users use the whitelisting feature in EdgeRules simply to add more referers than what the HTTP Referer Whitelist feature offers. The list has a character limit of 250, and therefore only allows you to enter a handful of domains/referers. If you need to whitelist more referers, you’ll need to use the EdgeRules method.

You can also use the EdgeRules method to allow select referers access to content you don’t want the general public to consume.

Process

  1. Choose the “WHITELISTED REFERERS” directive:

  2. Define the list of allowed referers:

  3. Choose the “STATUS CODE” directive:

  4. Define conditional if ( $invalid_referers = 1 ){ return 403; }:

    This means that any referer not in the valid_referers list will be blocked.

    The complete rule would look like this:

Nginx Configuration Block

location / {
		valid_referers *.domain.com domain.com *.abc.net;
		if ($invalid_referer = 1) {                                  
			return 403;
		}
...
}

CURL Tests

Using proper referer

~ $ curl -I http://cdn.domain.com/file.mp4 --referer "http://www.abc.net"
HTTP/1.1 200 OK
Content-Type: video/mp4
Connection: close
Content-Length: 203647332
Last-Modified: Thu, 25 Dec 2014 01:18:03 GMT
Date: Thu, 05 Nov 2015 14:30:11 GMT
ETag: "549b65cb-c236964"
Server: NetDNA-cache/2.2

Using wrong referer

~ $ curl -I http://cdn.domain.com/file.mp4 --referer "http://www.123.com"
HTTP/1.1 403 Forbidden
Date: Thu, 05 Nov 2015 14:30:19 GMT
Content-Type: text/html
Content-Length: 169
Connection: close
Server: NetDNA-cache/2.2

Using no referer

~ $ curl -I http://cdn.domain.com/file.mp4
HTTP/1.1 403 Forbidden
Date: Thu, 05 Nov 2015 14:30:25 GMT
Content-Type: text/html
Content-Length: 169
Connection: close
Server: NetDNA-cache/2.2

If you have any questions about overriding whitelisted referers using the EdgeRules feature, please leave a comment below or start a live chat with support.