Hot-link protection

Block other websites from linking to your content. This is useful for protecting images.

export default {
  async fetch(request) {
    const HOMEPAGE_URL = "https://tutorial.cloudflareworkers.com/";
    const PROTECTED_TYPE = "image/";

    // Fetch the original request
    const response = await fetch(request);

    // If it's an image, engage hotlink protection based on the
    // Referer header.
    const referer = request.headers.get("Referer");
    const contentType = response.headers.get("Content-Type") || "";

    if (referer && contentType.startsWith(PROTECTED_TYPE)) {
      // If the hostnames don't match, it's a hotlink
      if (new URL(referer).hostname !== new URL(request.url).hostname) {
        // Redirect the user to your website
        return Response.redirect(HOMEPAGE_URL, 302);
      }
    }

    // Everything is fine, return the response normally.
    return response;
  },
};

export default {
  async fetch(request): Promise<Response> {
    const HOMEPAGE_URL = "https://tutorial.cloudflareworkers.com/";
    const PROTECTED_TYPE = "image/";

    // Fetch the original request
    const response = await fetch(request);

    // If it's an image, engage hotlink protection based on the
    // Referer header.
    const referer = request.headers.get("Referer");
    const contentType = response.headers.get("Content-Type") || "";

    if (referer && contentType.startsWith(PROTECTED_TYPE)) {
      // If the hostnames don't match, it's a hotlink
      if (new URL(referer).hostname !== new URL(request.url).hostname) {
        // Redirect the user to your website
        return Response.redirect(HOMEPAGE_URL, 302);
      }
    }

    // Everything is fine, return the response normally.
    return response;
  },
} satisfies ExportedHandler;

from js import Response, URL, fetch

async def on_fetch(request):
    homepage_url = "https://tutorial.cloudflareworkers.com/"
    protected_type = "image/"

    # Fetch the original request
    response = await fetch(request)

    # If it's an image, engage hotlink protection based on the referer header
    referer = request.headers["Referer"]
    content_type = response.headers["Content-Type"] or ""

    if referer and content_type.startswith(protected_type):
        # If the hostnames don't match, it's a hotlink
        if URL.new(referer).hostname != URL.new(request.url).hostname:
            # Redirect the user to your website
            return Response.redirect(homepage_url, 302)

    # Everything is fine, return the response normally
    return response

Was this helpful?

Cloudflare Dashboard Discord Community Learning Center Support Portal

Cookie Settings

Hot-link protection

Was this helpful?

What did you like?

What went wrong?

Thank you for helping improve Cloudflare's documentation!