Since the ordinary referrer check is almost useless (sending of a referrer header can be easily disabled by <meta> tag) so there are a few ways of protection :
One of the best ways to protect from hotlink is to bind URL to IP of the browser and specify the list of allows referees. But about 10-15% of visits use dynamic IP (there will be a request to the website from one IP and from another one to CDN). to block hotlinking but allow access to users with dynamic IPs (or cookies disabled) vCDN have the following rule: if IP binding check fails, or cookie check fails, but VALID (non-empty) REFERER is found - then access is granted. You can also add a cookie check - if its value matches the key value, then the request is valid, even if there is no IP binding or no ref (if the ref is, but does not match, the request will be rejected).
If IP binding is not used, the absence of a valid cookie will not reject the request only if there is a valid ref. But to use a cookie, you need to :
- - delegate your subdomain to our NSs, so that we can use them in redirects to streams;
- - provide us with certificate *.cdn.example.com for redirects to streaming servers https://ip123456.cdn.example.com/.. (in other case cookie check won`t work).
It is possible to specify a "white list" of addresses for which the URL signature will not be checked (setting the keycheck_whitelist on the client). It is done through the support team.