Allowed Referrers For Sharing Social Media Shared Link Images When Using Hotlink Protection

If you’re using hotlink protection but want to make exceptions to allow social media services to pull images for shared links, here’s the list of allowed referrers I’ve been using.

Text & Photos By David Coleman

Last Revised & Updated: November 22, 2023

Filed Under: Photography Workflow, , Wordpress for Photographers

Topics: Wordpress tricks

I MAY get commissions for purchases made through links in this post.

Quick Summary

Hotlink protection prevents external sites from using your server’s bandwidth to display images but can block social media shared link images.
While hotlink protection stops direct embedding, it doesn’t prevent image theft or re-uploading to other servers.
Social media services like Facebook need access to pull images directly from your server for shared links, typically via the og:image tag in Open Graph.
Cloudflare offers a binary hotlink protection, but specific allowed domains can be set in server’s .htaccess or certain CDN services.
For social media shared link images, allow referrers:
- Facebook: *.facebook.com, *.fbcdn.net
- Twitter: *.twitter.com, *.twimg.com
- LinkedIn: *.linkedin.com, *.licdn.com
Ensure to include your own domain names and consider wildcard usage for various subdomains.

Hotlink protection is a useful way to prevent others from siphoning off your bandwidth by drawing the data for images from your server’s bandwidth.

It doesn’t prevent people from stealing your images—it just prevents them from embedding them on their site while pulling them directly from your server. It’s a method that’s also often referred to as leeching.

It also doesn’t stop them from just downloading the file and uploading it to their own site and serving it from there.

But there are times when you might want to use hotlink protection but still allow certain external domains to pull the images directly. Obviously, you want your own domains to be able to do this. But another situation I run into often is with images in shared links on social media services.

Hotlinking Images on Common Services

If you upload an image directly to a service such as Facebook, the image is uploaded and stored on Facebook’s servers and it’s completely separate from your own site and server. But with shared links, Facebook (or the other social media services) needs to be able to pull the image directly from your server. A common way to do this is through the og:image tag in Open Graph.

Cloudflare has a hotlink protection option under its Scrape Shield tab that takes a one-size-fits-all approach. That is, it’s either on or off, and you don’t have any option to fine-tune the allowed domains. But you can be more specific either on your server’s .htaccess file or through some CDN services that give you the option to set allowed referrers.

On KeyCDN, for instance, you do it through the Zone Referrers section.

On BunnyCDN, you can find the Allowed Referrers option under the Security category. ¹

Below are the referrers I’ve been using to allow social media shared link images. I’m posting this mostly for my own reference, and I certainly can’t guarantee that the list is comprehensive or that all of these are actually necessary. But this list has been working for me, so maybe it’ll be useful as a starting point for someone else.

Facebook:

*.facebook.com
*.fbcdn.net

Twitter:

*.twitter.com
*.twimg.com

Linked In:

*.linkedin.com
*.licdn.com

Notes

I’m using wildcards here in place of hard-coded subdomains because these services tend to have multiple CDN subdomains they can pull from.

I haven’t included Instagram because you can’t share links there, so it’s not going to be pulling the images from your domain.

Don’t forget to add your own domain names as well.

The way that wildcards are used here doesn’t include the root domain, so you might need to add those, too.

One issue I’ve run into with BunnyCDN s that it doesn’t appear to support empty referrers—or at least have an option to enable support for them, as KeyCDN has. That seems to block some authentic search engine bots and thus lead to 403 errors. You only run into this issue if you have any Allowed Referrers set. If you leave that blank, there are no restrictions in place.[↩]

News

Nov 22: ProGrade Digital has released their next-generation CFexpress 4.0 cards. Using PCIe Gen 4, they provide read speeds of up to 3400MB/s and sustained write speeds of up to 2400MB/s. They’re available in 512GB, 1TB, and 2TB sizes. But an important caveat before you rush out and buy one: These are designed for future cameras, not currently available ones. That’s because current cameras don’t use CFexpress 4.0 and therefore can’t take advantage of the speed benefits that it provides. So, for now, the only benefit you’ll see with these is if you happen to be using the ProGrade Digital PG05.6 USB 4.0 Reader you should get faster download speeds to your computer. And in case you’re wondering what happened to 3.0 . . . they’re skipping that, going straight from 2.0 to 4.0.
Nov 20: The 2023 Photography Black Friday deals are coming in thick and fast. I have a running list of particularly good deals that have caught my eye.
Nov 15: Nikon has released new firmware for the Nikon Zfc. Only listed change is support for a new model of battery that isn’t yet in stores (EN-EL25a).
Nov 7: Sony has announced a new top-shelf camera, the Sony a9 III. Like the others in the a9 series, the emphasis with this one is on speed. And to highlight the point, this one comes with a brand new type of sensor known as a Global Shutter Sensor rather than a rolling shutter. That allows shutter speeds of up to 1/80,000 and, incredibly a flash sync also at 1/80,0000. It’s a 24MP full-frame sensor and has an impressive array of features (4K120 video, 8-stop 5-axis stabilization, 759-point phase detection AF with tacking, etc). Priced at $5,999. Preorders open Nov 8 at 9am Eastern at B&H Photo.
Nov 7: Sony has announced a new high-end telephoto prime: the Sony FE 300mm f/2.8 GM OSS. MSRP or $5,999. Preorders open Nov 8 at 9am at B&H Photo
Oct 11: Nikon has announced a smaller and lighter 600mm telephoto lens for their Z mirrorless cameras: the NIKKOR Z 600mm ƒ/6.3 VR S. It weighs just over 3 pounds / 1.4 kg (which is under half of the ƒ/4 version) and about 11 inches long, making it far more portable and also far more viable to shoot hand-held without a tripod or monopod. It also costs under a third of the ƒ/4 version. It hasn’t yet hit the shelves but is available for preorder.
Oct 9: The Super telephoto lens category seems to be booming right now, which is great for wildlife and sports photographers who don’t want to take out a second mortgage to invest in one of the big-dollar telephotos. Tamron has announced a Nikon Z-mount version of their 150-500mm f/5-6.7 Di III VXD super telephoto zoom. There have been Fujifilm X and Sony E versions for a while. And it comes with at a very respectable MSRP of $1399. Expected to start shipping at the beginning of November and currently available for preorder.
Oct 5: Sigma has announced a new, small ultrawide zoom for APS-C mirrorless cameras: the 10-18mm ƒ/2.8 DC DN Contemporary. It’s small (2.4 inches long), has fast, smooth focusing aimed at video shooters, and is competitively priced. Versions for Fujifilm X, Leica L, and Sony E mounts. It’s currently available for preorder.
Oct 4: If you shoot with a Ricoh GR camera, whether film or digital, Pentax/Ricoh have announced the 2023 GR Photo Festival 2023. You can find information about entering it here.
Oct 4: Nikon has released updated firmware for the Z9 (Ver. 4.10). Seems to be a minor update, adding Birds and Airplanes to the AF subject detection options. Download the update here.
Sept 28: DxO has released PhotoLab 7 and FilmPack 7 as well as a new update for PureRAW, adding support for a bunch of new cameras and lenses.
Sept 27: Nikon has announced a new high-end, fast telephoto prime that promises to be a hit with portrait and wedding photographers as well as those shooting cinematic video: the Nikon NIKKOR Z 135mm ƒ/1.8 S Plena. Optical features that set this apart from the usual include distinctive circular bokeh and even corner-to-corner sharpness and light with minimal light falloff from vignetting. It’s available for preorder.
Sept 26: Canon has release new firmware for the Canon EOS R5. It’s version 1.9.0. Mostly bug fixes, with some relatively minor feature additions such as better voice memo management and enhanced security for some data transfer protocols. You can find it here.
Sept 21: There’s a bug in the GoPro HERO12 Black if you’re using The Remote with a multi-cam setup. It’s related to turning the cameras on an off with the remote. More here.
Sept 20: Nikon has announced the new retro-styled full-frame mirrorless, the Zf. Behind the old-style look are some impressive features. Given the popularity of other cameras of this style in recent years, I’d expect it to be a hit. And it’ll go nicely with some of the very small fast primes that Nikon has already released in the Z lineup. The Zf is currently available for preorder.
Sept 13: OM System (formerly Olympus) has announced the latest version of their impressive go-anywhere adventure camera, the OM SYSTEM Tough TG-7. Waterproof and tough enough to take a beating on your travels, it also boasts impressive image and video quality and features. I’ve covered the TG-5 here before; the TG-7 builds on that same foundation. The TG-7 is available for preorder.
Sept 12: Fujifilm has announced a new medium format mirrorless camera: Fujifilm GFX 100 II. There are three new lenses alongside it, a GF 55mm f/1.7R WR and two new tilt-shift lenses.
Sept 11: Lexar has launched a new line of affordably priced UHS-II SD cards, the Silver Pro line. Sizes from 64GB to 512GB, write speeds of up to 160 MB/s and read speeds up to 280 MB/s.
Sept 11: I’ve added some new recommendations for SD cards for the new GoPro HERO12 Black as well as the new DJI Osmo Action 4.
Sept 6: The new GoPro HERO12 Black is now available for preorder.
Sept 4: B&H has some great deals to go along with their BILD expo. For example, $800 OFF the Canon EOS R5 mirrorless body (use code BILDBH50 at checkout).
Sept 2: The CompactFlash Association has released the spec for CFexpress 4.0. It will keep the same form factors but have double the theoretical maximum speed, to 4 GB/s, while maintaining backward compatibility. It’s the next evolution of CFexpress after the current 2.0 (they are skipping 3.0) and applies to all three form factors: A, B, and C.

Text & Photos by David Coleman

Leave a Comment Cancel reply

I'm a Member Of:

Allowed Referrers For Sharing Social Media Shared Link Images When Using Hotlink Protection

Hotlinking Images on Common Services

Notes

Related Posts

Text & Photos by David Coleman

Leave a Comment Cancel reply

I'm a Member Of:

Newsletter

Thank you!