Allowed Referrers For Sharing Social Media Shared Link Images When Using Hotlink Protection

If you're using hotlink protection but want to make exceptions to allow social media services to pull images for shared links, here's the list of allowed referrers I've been using.

Posted by David Coleman on July 12, 2019

Hotlink protection is a useful way prevent others siphoning off your bandwidth. It doesn't prevent people stealing your images--it just prevents them from embedding them on their site while pulling them directly from your server. It doesn't stop them from just downloading the file and uploading it to their own site and serving it from there.

But there are times where you might want to use hotlink protection but still allow certain external domains to pull the images directly. Obviously, you want your own domains to be able to do this. But another situations I run into often is with images in shared links on social media services.

If you upload an image directly to a service such as Facebook, the image is uploaded and stored on Facebook's servers and it's completely separate from your own site and server. But with shared links, Facebook (or the other social media services) they need to be able to pull the image directly from your server. A common way to do this is through the og:image tag in Open Graph.

Cloudlfare has a hotlink protection option under its Scrape Shield tab that takes a one-size-fits-all approach. That is, it's either on or off, and you don't have any option to fine tune the allowed domains. But you can be more specific either on your server's .htaccess file or through some CDN services that give you an option to set allowed referrers. On KeyCDN, for instance, you do it through the Zone Referrers section. On BunnyCDN, you can find the Allowed Referrers option under the Security category.1

Below are the referrers I've been using to allow social media shared link images. I'm posting this mostly for my own reference, and I certainly can't guarantee that the list is comprehensive or that all of these are actually necessary. But this list has been working for me, so maybe it'll be useful as a starting point for someone else.

Facebook:

  • *.facebook.com
  • *.fbcdn.net

Twitter:

  • *.twitter.com
  • *.twimg.com

Linked In:

  • *.linkedin.com
  • *.licdn.com

Notes

I'm using wildcards here in place of hard-coded subdomains because these services tend to have multiple CDN subdomains they can pull from.

I haven't included Instagram because you can't share links there, so it's not going to be pulling the images from your domain.

Don't forget to add your own domain names as well.

The way that wildcards are used here don't include the root domain, so you might need to add those, too.


  1. One issue I've run into with BunnyCDN s that it doesn't appear to support empty referrers--or at least have an option to enable support for them, as KeyCDN has. That seems to block some authentic search engine bots and thus lead to 403 errors. You only run into this issue if you have any Allowed Referrers set. If you leave that blank, there are no restrictions in place.