Since the ordinary referrer check is almost useless (sending of a referrer header can be easily disabled by <meta> tag) so there are a few ways of protection :

• URL signature (parameter /key=..,)
• URL expiration check ( parameter ,end=12345678/ )
• the list of allowed referrals or the list of prohibited referrals (parameter /referer=LIST/)
• URL with IP (or range of IPs) binding ( parameter ,ip=1.2.3.4/ )
• unique (per visit) URL without specific IP binding but with limit of possible different IPs which will be granted to use this URL ( parameter ,limit=3/ )
• cookie check ( parameter /sec=cookie_name/ , makes sense only if URL signed protection is activated )
• there is is a possibility not to check at all

One of the best ways to protect from hotlink is to bind URL to IP of the browser and specify the list of allows referees. But about 10-15% of visits use dynamic IP (there will be a request to the website from one IP and from another one to CDN). to block hotlinking but allow access to users with dynamic IPs (or cookies disabled) vCDN have the following rule: if IP binding check fails, or cookie check fails, but VALID (non-empty) REFERER is found – then access is granted. You can also add a cookie check – if its value matches the key value, then the request is valid, even if there is no IP binding or no ref (if the ref is, but does not match, the request will be rejected).

If IP binding is not used, the absence of a valid cookie will not reject the request only if there is a valid ref. But to use a cookie, you need to :

• – delegate your subdomain to our NSs, so that we can use them in redirects to streams;
• – provide us with certificate *.cdn.example.com for redirects to streaming servers https://ip123456.cdn.example.com/.. (in other case cookie check won`t work).

It is possible to specify a “white list” of addresses for which the URL signature will not be checked (setting the keycheck_whitelist on the client). It is done through the support team.

URL expiration check