Hotlink Protection with AWS WAF + Cloudfront

Hotlink Protection with AWS WAF + Cloudfront
Photo by Markus Winkler / Unsplash


Hotlink protection is a security measure implemented on websites to prevent unauthorized usage of their content, particularly images, videos, or other media files. It aims to protect the website's bandwidth and server resources by restricting direct linking or embedding of those files on other websites.

When hotlink protection is enabled, the website's server checks the referrer header of incoming requests to determine if the request is coming from an authorized source. The referrer header contains the URL of the page that initiated the request. Suppose the referrer header doesn't match the allowed sources specified by the website. In that case, the server may respond by blocking the request or serving an alternative image or error message instead of the desired content.


You migrated all your content to the AWS CloudFlare service, then you realize that a different site is using your content without permission. You immediately went to the CloudFront service, but the AWS CloudFront product does not provide Hotlink Protection by default. Using this feature, you need to use different products to increase the security of your content.

AWS WAF Configuration

First of all, you need to create new web ACLs from the AWS WAF screen. After this, you need to populate some fields such as name, description and most importantly Amazon CloudFront distributions from Resource type.

Associate your CloudFront Distribution and click the Next button

Click Add Rules then select the "Add my own rules and rule groups" option.

After selecting the Rule Builder option, in order:

  • Inspect: Single Header
  • Header field name: Referer
  • Match type: Contains word
  • String to match: "your domain name"
  • Text transformation: none

You need to select Allow Actine from the "Then" section.


In this article, I tried to explain how we can prevent our valuable resources from being consumed by different web pages by checking referrers thanks to AWS WAF.

See you in the next article. 👻