Rules for hotlinking in WAF



I’ve configured in the firewall some rules for avoiding hotlinking from determinated domains, is it necesary to replicate it in my .htaccess?

For example, if the image isn’t still cached by cloudflare, does that rules in the firewall works?



Firewall rules apply to any hostname that’s set to :orange:.


Including the initially uncached content that is loaded from the server, right?


If you’re using Cloudflare in front of the content, running hotlink protection at the origin is not going to work correctly.

Hotlink protection is based on the HTTP “referer” request header typically, and this is not included in the cache key when Cloudflare caches your content. This means that the first request to your resource will be cached and all subsequent requests to the same URL will get the same cached response. In practice this means some people will be blocked incorrectly, and others will be allowed incorrectly.

The right approach here would be to disable the hotlinking logic at your origin and enable Cloudflare’s hotlinking feature, or use the more flexible Firewall rules feature to define your own logic on Cloudflare.


Hi Simon,

I haven’t enabled hotlinking feature, I have a rules in the firewall that block determinated referers and works fine blocking the images.

My question is about the first load of an image, when it isn’t still cached by Cloudflare and need to be load from the original server, that request is also blocked by the firewall?

For your response I deduce that I have to disable the rules set in the .htacces in the origin server and only keep rules in firewall of cloudflare, haven’t I?



If when you say “firewall” you mean Cloudflare’s firewall, those rules will run on each & every request made to your website on Cloudflare, regardless of whether the response is in our cache or not.

Correct - running the logic on Cloudflare’s edge and removing the logic at the origin is the right way to have things working.

1 Like

Yes yes, I mean the Cloudflare’s firewall.

Thank you very much Simon.


closed #8

This topic was automatically closed after 30 days. New replies are no longer allowed.