Does Cloudflare cache files behind a site's own htaccess hotlink protection?

Can anyone clear up something for me about Cloudflare’s caching…

I’ve got a site that contains mp3 files that I protect from hotlinking via an htaccess file that blocks external sites from accessing mp3 files (whilst letting other file types continue to be accessed). If you attempt to access an mp3 file from outside the site you’ll be shown a 403 forbidden error.

In Cloudflare I’ve added a page rule to ‘cache everything’ within the sub-folder that contains these media files.

Does anyone know if Cloudflare is actually able to cache the mp3 files that are behind that htaccess file in this scenario?

You might first want to define what you mean by “Access an MP3 file from outside the site”, but in general once a URL is cached by Cloudflare things like referer evaluation and similar won’t apply as the file is returned by the cache and your server is never called.

1 Like

By ‘outside the site’ I meant try to download, link to from an external website or open the file directly in a browser window.

The htaccess file checks that the http_referer matches our site and returns a 403 if not. These files are still playing fine on our site even though we have ‘cache everything’ set on the folder they are stored in. If you paste the url of one of these files into a browser window (so that the http_referer is not a match) you still correctly get a 403 so the htaccess rules are still being observed.

Does this suggest that Cloudfare is not caching these files at all and is just passing requests through to the server?

To check for the cache status you should check the headers returned on the dev tools of the browser.

There should one cf-cache-status.

in general the Referrer header is not part of the cache key, so users who access with referrer “a.com” will receive the same cached file as users with referrer “b.com”.

If you use CF’s hotlink protection, it kicks in before pulling from cache, so you probably want to use only CF protection (but it’s up to you).

1 Like

Unfortunately we can’t check the headers as attempting to access a file direct produces a 403 (as per the htaccess rules).

So I guess this means that Cloudflare isn’t actually caching anything in that folder as the blocking of hotlinking via our server’s own htaccess file is still working.

Is it possible to turn Cloudflare’s own Hotlink Protection on for just one type of file? (i.e. allow .jpg/.jpeg/.png to be scrapped and protect only .mp3 files)

You can see the headers even when opening a file while embedded in a page…

For the hotlink protection you can put the valid files in a subpath of hotlink-ok if I remember correctly. There should be an help section underneath the option.

An alternative would be to write your own hotlink-protection protection code in a worker and deploy it only on the paths that you need (or everywhere and selectively enable/disable it in the code).

Thanks matteo - I think the solution is to remove our server’s htaccess restrictions so that Cloudflare can gain access to cache the mp3 files and then to block hotlinking via a worker script that only applies the block on mp3 files. We can’t use the subpath approach as the media files are mixed in with .jpgs that we’re happy to have on google images etc.

Thanks for the help everyone - much appreciated.

1 Like

The only way to use the first solution is to move all the images in another folder… It’s a pain if you also need to rewrite the image links.

Workers would be fine but you could also use a Firewall Rule. The latter is what I do, allows very granular approach (e.g. allowing specific IPs or referrers access whilst blocking others, allowing or disallowing bots or bad actors etc) but should be simpler than implementing a Workers Script.

Yeah, didn’t think about the new Firewall Rules! Those should work!

This topic was automatically closed after 14 days. New replies are no longer allowed.