referer-blacklist

Prevent access based on the HTTP "Referer" request header. Commonly used to enforce that the client is a browser that supports RFC 2616 Section 14.36 and that the containing HTML page is not among those known for deep linking to the site operator's content.

Note that for secure (HTTPS) requests the browser may not send a Referer header. As a safeguard, it is best to configure a match for "url-scheme" with a value of "HTTP" as shown in this example.

The behavior uses a wildcard syntax to allow blocking based on patterns. Examples include:

• *.somebaddomain.com*
• *.somebaddomain.com/this/path/is/not/allowed*

In this example, the content publisher customer knows that two web sites, "www.somebadsite.com" and "www.dontstealmystuff.com", frequently embed content from their site without permission. Using wildcards is required to ensure that the scheme (HTTP or HTTPS) and URL path are not a factor in deciding whether to deny the request, though it is possible to constrain based on any of these URL attributes:

       {
         "rules": [
           {
             "matches": [
               {
                 "name": "url-scheme",
                 "value": "HTTP"
               }
             ],
             "behaviors": [
               {
                 "name": "referer-blacklist",
                 "value": "*www.somebadsite.com* *www.dontstealsmystuff.com*"
               }
             ]
           }
         ]
       }
     

Another side note regarding the "Referer" header: User Agents that request content over HTTPS that link to other content using HTTP will generally display a warning to the end user. In addition, if the request is allowed the "Referer" header will be omitted. In addition, some personal firewalls, browser extensions (at least for FireFox and Chrome) and even client proxy solutions are able to omit/strip the "Referer" request header entirely.