Prevent direct access to JPG

Security
#1

Hello guys,

I need a bit of help in executing the following.

  • when any user try to access all my JPGs through my website (e.g. by browsing my pages) I would like this to work.
  • instead, when they try to access all of my JPGs DIRECTLY (eg. by inputing the .jpg URL on the address bar), I want CF (WAF) to block the request.
  • when search engines try to access my images they should be allowed
  • cloudflare stream service should be whitelisted (videodelivery and cf.com websites) and should be able to access all of my images in any way

I tried multiple ways but couldn’t achieve this.

Is anyone able to help me?
I would be immensely grateful!!

Thanks a lot
Dr Fung

#2

I don’t know what a request from Stream would look like, but this rule depends on your site setting a correct Referrer (this is usually on by default). And if it’s NOT a known (good) bot. Then block.

Screen Shot 2021-03-05 at 11.39.27 AM
Screen Shot 2021-03-05 at 11.39.27 AM2148Ă—1124 166 KB

1 Like
#3

Hello sdayman,

thanks a lot for your quick answer!
Unfortunately that didn’t work out and completely broke my website.
I added this:

Screenshot 2021-03-05 at 21.49.34
Screenshot 2021-03-05 at 21.49.342338Ă—246 22.5 KB

And that partially solved my problem but some parts of my website are still broken…

#4

My apologies. I did miss probably the most important part, the URI of the images.

What’s broken? If something on your site doesn’t include the Referer header, that rule won’t let the image load.

1 Like
#5

Don’t worry I eventually figured it out by myself something was missing :wink:

It’s broken in the sense that on some pages the image don’t loads indeed.
I think it’s like you said: some pages use scripts or something where the referrer is empty or something, that’s why it prevents those images to load…

1 Like
#6

The only other thing I can think of is Cloudflare’s pre-packaged Hotlink Protection on the Scrape Shield page. But it works pretty much the same way, though it appears to add one more rule: If Referrer does not equal “” (empty quotes for blank). That might be a last resort, and should help some.

1 Like
#7

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.