See referer for Hotlik protection events

Hello, I have Hotlink Protection active on my website since a few months, and I see there are a lot of these pictures hotlinking events on the firewall log.

Is there any way to see the Referrer field to understand where these requests are coming from? These events are coming all from my country and mostly from mobile devices so I can’t understand if I’m blocking something legit (like people sharing posts on facebook or whatsapp) or if third-party sites are actually hotlinking pictures.

I also tried downloading Json for single events, but referer field is missing. I tried searching google for pages including links to my website, but no big results.
I tried searching this forum for previous similar questions but nothing.
How can I find it?

Thank you very much.

Hello, any hint on this?

The only thing I can think of would be to use Logflare. It has a free tier, but I’m not sure how you’d view the data in this plan. Maybe @chasers (Logflare creator) can assist.

For anybody else who may have the same question in the future, in the meanwhile I found out the source of all that hotlink events.
I’ve being trying to add firewall rules like this:
“referer”->“contains”->“any domain i could think of” : Action Bypass Hotlink Protection,
and then I finally found out that they are coming from google images search page.

When you click on a picture on google image search results, you first see it blurry for a couple seconds and then it loads at better resolution. That is the moment when google loads the picture from your server.
With hotlink protection enabled, when clicking a picture it remains blurry and a hotlink protection event is generated on the log view.
when disabled, the image correctly loads at full resolution.

Hope it helps somebody else.

Anyway I don’t understand why cloudflare doesn’t put referrer field neither in the firewall event nor in the Json. that would be very helpful especially in more dangerous situations than this (and it would have saved me 4 days of trial and error).


1 Like

This topic was automatically closed after 30 days. New replies are no longer allowed.