/
Anti-Hotlinking

Anti-Hotlinking

Content protection primarily resolves the hotlinking* problem, making it impossible (or significantly more difficult) to use your content on someone else’s site.

*hotlinking — using someone else’s content on the site or other platform without any rights to do so, for instance, by embedding in the site’s HTML code tags <img>, <video>, or similar referring to another site’s assets in order to save money on hosting and profit on other people’s content.

URL signature
URL signature

URL signature

URL signatures are a crucial content security feature, particularly for hotlinking prevention. Our mechanism is comparable to the “NGINX Securelink” functionality but tailored for Anycast CDN setups.

By implementing URL signing, you can:

  • Verify the authenticity of incoming requests.

  • Prevent unauthorized resource access, even if they discover the URL.

  • Limit the link lifetime to the exact period.

  • Prevent link sharing between users, restricting access to certain user IPs.

How URL Signing Works

When URL signing is enabled, each content request must include a signature that confirms it is authorized. The signature is generated using a specific data format, hashed with MD5, and checked against the CDN’s validation logic.

Format

To create a valid signature, use the following data format before applying the MD5 hashing algorithm:

$expiration_date$uri$client_address $signing_key

Components

$expiration_date: The expiration timestamp (in seconds or another agreed format) that limits the validity of the link. Once this time is exceeded, the link becomes invalid.

$uri: The Uniform Resource Identifier of the requested resource.

$client_address: The IP address of the client requesting the resource. This binds the signature to a specific client, adding another layer of protection.

$signing_key: A secret key shared between the server and the signature generator. This key ensures that only authorized parties can create valid signatures.

Parameters

Secure link argument name — is mandatory if the option is enabled. By default is set to the MD5 hashing algorithm.

Signing key — your unique secret key, used to generate the signature and verify the link. It is mandatory. Value of under 10 alphanumeric characters is expected.

Check link expiration — arbitrary parameter. If enabled, limits link lifetime by adding an expiration timestamp to the argument. - boolean, default is true.

Expiration date argument — is used to send an expiration timestamp in Unix time format (seconds since 1970-01-01) default is expires, validation is the same as for the Secure link argument.

Check the client address — an arbitrary parameter, that checks if the URL signature is generated for the requesting address. By default is set to active.

Once you have configured all the necessary access settings, click Save changes.