Hotlink Protection not working / favicon / other files / firewall rules

I have enabled hotlinking for my website in CF dashboard > Scrape Shield > Hotlink Protection = ON

Image URL

Use the above image URL in the test webpage (w3schools) and the image shows up. Thats wrong, the image should be denied since referrer domain is and not Why Hotlink protection is not working ?

Test url, change the img src url, and run the script
Tryit Editor v3.7

Let me know your results.

Can’t tell for sure, but I guess Cloudflare adopted after these Huge Problem with FavIcon HotLink Protection and maybe this Onebox, favicon's and Cloudflare's "Hotlink Protection" - support - Discourse Meta problems and maybe is not ‘protecting’ the favicon anymore with the default HotLink protection I don’t know why someone would want this anyway.

HotLink protection is there, so others can not abuse your server and use your images to save traffic and to make you pay for the traffic. Your favicon is not even 1kb big, so would be pretty hard to abuse this.

Also, I could not find any other image on your site, so it is hard to test against a legit image file.
If you like you can upload a normal JPEG to your server/website and share the link here so we can test, if it would be protected.

1 Like

Yes, thats correct. Favicon seems to be an exception here. Other test images are being protected fine.

I plan to host a few mp3 files, for those files, I would implement hotlink protection using firewall rules i.e. URI contains ‘.mp3’ AND referer not equal to blanks AND referer not contains ‘domain’, then BLOCK. Tested and returns 403 forbidden. Looks good. Putting it out here so that anyone can reference the above rule and customize it for hotlink protection for any file/url. Should work ok without any problems.

Just make sure you understood ToS 2.8 properly:

2.8 Limitation on Serving Non-HTML Content

The Services are offered primarily as a platform to cache and serve web pages and websites. Unless explicitly included as part of a Paid Service purchased by you, you agree to use the Services solely for the purpose of (i) serving web pages as viewed through a web browser or other functionally equivalent applications, including rendering Hypertext Markup Language (HTML) or other functional equivalents, and (ii) serving web APIs subject to the restrictions set forth in this Section 2.8. Use of the Services for serving video or a disproportionate percentage of pictures, audio files, or other non-HTML content is prohibited, unless purchased separately as part of a Paid Service or expressly allowed under our Supplemental Terms for a specific Service. If we determine you have breached this Section 2.8, we may immediately suspend or restrict your use of the Services, or limit End User access to certain of your resources through the Services.

A few mp3 files will not be a problem, but “a few” is very subjective so make sure you are within the ToS.

Hi @M4rt1n
Just tried with this file, hotlinking NOT working again.

Test it here

Let me know how it goes for you.

Is this hotlinking feature unstable / unreliable ? Should I instead setup firewall rules to disable hotlinking then ?

I would be hosting about 200 mp3 files (on my origin server), about 200 * 20MB = 4GB approx. CF will just be caching the files as needed. I am on a free plan. Is that fine as per TOS ? Do I need to purchase a Paid plan for this use case ?

I am already hosting on a VPS, so if this violates CF TOS, let me know, I will just bypass the CF cache for mp3 files and serve them directly from my origin server. Can someone from CF TOS team clarify on this ?

Please post the link to the resource (as `code`) and do not upload the image or post the URL just so. Otherwise I can’t test it, since the URL changes to the CDN of discourse.

It is very reliable for all common image formats, but it just works on Images, not on JS/CSS etc. If you want it for anything else you need to set up a firewall rule anyway.

The number itself would leed me to think it is ok, but as soon as I saw the filesize I think this is against the ToS, since 20MB MP3 files are 100% not typical webcontent.

About the MP3 files. I can recommend using AAC, Opus or Vorbis. They are in all aready better than MP3. Would still be no typical webcontent, but better compression and therefore smaller files for the same content. AAC btw. performs exeptionally on low bitrates, unlike MP3.

Sorry but “bypassing cache” will not prevent the files which are untypical webcontent from beeing served through Cloudflares Network. You would have to set up a subdomain (e.g. and set it to unproxy :grey:. This will make sure, the MP3s are not getting served by Cloudflares CDN. But this will expose your origin IP, so an alternative is: just by a pro plan, have never seen them kicking a paying customer :slight_smile:

Image URL which is not being hotlinked protected
Please test and let me know. Its really strange.

Regarding MP3 files, I will buy the ‘Cache Reserve’ plan once it becomes available. For 200-300 PlayAudio requests per day and about 4GB of total file storage, that will be the cheapest plan. Have requested for access. Will that be ok ?

Pro Plan costs 20$ and R2 + Workers looks to be more complicated & costly for my use case.

Test completed, this images ATM is not getting protected against hotlinking. Can you please doublecheck that the option is active and no PageRules are overruling this setting?

I assume, it will since you then pay for the storage. But I have not read the ToS for Cache Reservey yet and don’t even know if different rules apply here.

1 page rule with ‘Cache Level: Cache Everything, Origin Cache Control: On’, looks fine

hotlink protection = ON (since past 2 years)

I just re-started the Hotlink protection (turn off and on again) and now the Hotlink protection is working. Looks like a typical sync issue with the frontend/backend.

Solution - If your Hotlink protection doesnot seem to be working, just turn the switch off and on again, and it should work.

1 Like

That would have been the next recommendation.
Nice it’s sorted out.