anti-hotlinking with referer header
chencch opened this issue · comments
Some users want to protect against hotlinking. A simple way is checking the value of Referer header with a CloudFront Functions function. The request will be rejected if the referer is not in the allow list.
There is a Lambda@Edge code example on Github, but no CloudFront Functions code.
The following is my CFF code. It has been tested in my environment and has been deployed in the production of a few customers. I was wondering if it is useful for this project?
//Escape "." character in a string
RegExp.escape = function(string) {
return string.replace(/\./g, '\\.');
};
function handler(event) {
var request = event.request;
var headers = request.headers;
var referrer = headers['referer'];
var response = {
statusCode: 403,
statusDescription: 'Forbidden',
headers: {
'content-type': { 'value': 'text/plain' }
},
body: 'Invalid referrer domain'
};
// Allow requests without the Referer header
if (!referrer) return request;
// Or block requests without the Referer header
// if (!referrer) return response;
var fqdn = referrer['value'].split('/')[2];
// Input your allowed domain name here
var allowedDomains = [
'domain1.com',
'*.domain1.com',
'domain2.com',
'*.domain2.com',
'sub.domain3.com',
'*.sub.domain3.com'
];
var allowedRegexList = [];
//Convert string to regex
for (var i=0; i<allowedDomains.length; i++) {
var domainName = allowedDomains[i];
if (domainName.startsWith('*')) {
domainName = domainName.replace('*', '');
var reg = new RegExp(RegExp.escape(domainName) + '$');
} else {
reg = new RegExp('^' + RegExp.escape(domainName) + '$');
}
allowedRegexList.push(reg);
}
var matchFound = false;
for (var j=0; j<allowedRegexList.length; j++) {
if (fqdn.match(allowedRegexList[j])) {
matchFound = true;
break;
}
}
if (!matchFound) return response;
return request;
}