Prevent direct subdomain access and require redirect

I have a website where the photos are using a Backblaze bucket accessed via CNAME:

Because Workers aren’t allowed on CNAMEs (outside Business/Enterprise accounts), I am currently redirecting incoming links like this to run a Worker: → Page Rule redirect →

However, if a user accesses directly they bypass the Worker. I’d like my users to hit the Worker domain before seeing the photo(s). Is there a way to block direct access to* unless they hit the Worker domain first?

I tried a Firewall rule blocking unless was the referrer. But this didn’t work and just blocked access even after the redirect.


If adding a query string is ok in your case, you could add a QS with the Worker, then have a Redirect Rule (Dynamic Redirect) for conditional on not having the QS.


Thanks for the reply. I ended up doing something a bit different. Since I’m using Backblaze B2, I ended up following this guide. Now the content is only available via Workers Custom Domains, so the Workers cannot be (easily) bypassed.

As a bonus, the content returns an error if it is somehow accessed directly/outside Cloudflare.

1 Like