Hotlink Protection question

**DanLeon** · May 3, 2019, 5:34pm

Please help!
How to allow displaying image links on allowed websites. And all is blocked.

**Withheld** · May 3, 2019, 1:26am

If it’s for your site, go here https://dash.cloudflare.com/content-protection, select your domain and disable Hotlink Protection.

**DanLeon** · May 3, 2019, 1:30am

I can only block all and turn off all. I want to display images on website I allow. How to?

**Withheld** · May 3, 2019, 1:33am

Hotlink help is located directly under the On/Off

**DanLeon** · May 3, 2019, 1:36am

But I see other people can accept to display images on websites they want. And all other website is blocked.

**jules** · May 3, 2019, 2:01am

It’s actually a really good question. You would have to set up a firewall rule. The rule would have to consider the file being loaded (image extensions) and the referrer object. If the referrer matches your whitelisted domains then load the image, otherwise block the attempt or load some “blocked” image graphic.
Also - make sure you allow good bots to index your images (if you want them to be).

Unfortunately I don’t have much practice in creating firewall rules. Someone else will have to step in here.

**saul** · May 3, 2019, 7:25am

If I understand correctly then you want to allow your sites to be linked on certain sites, but blocked everywhere else? I turn off the ScraepShield HotLink protection and use a Firewall Rule along the lines of:

http.request.full_uri contains "yoursite.com/assets/" and not (http.request.uri.path contains "/hotlink-ok/" or http.referer contains "allowedsite1.com" or http.referer contains "allowedsite2.com" or http.referer contains "allowedsite3.com" or not cf.client.bot)
then
block

This says that anything under the path /assets/ (so change this to images or whatever is an identifable name of the folder containing the items you want to protect) can only be seen when loaded into pages on sites allowedsite1.com, allowedsite2.com, allowedsite3.com (Your own site must be in this list). This bit about hotlink-ok is to copy existing ScrapeShield functionality which is if you put a hotlink-ok folder in your assets folder the contents of that can be seen everywhere. And the last part of the if condition allows bots such as from search engined to scrape your site to index and archive it. Feel free to remove that, I don’t use it myself but thought it might be useful by way of demonstration of what’s possible.

**lismanhassan2401** · May 3, 2019, 7:33pm

Good idea:+1:

**jules** · May 3, 2019, 8:19pm

Nearly exactly what I was thinking. That snippet should be in the Tips section!