Edge Developer Platform
  • Edge Functions
    • Overview
    • Getting Started
    • Operation Guide
      • Function Management
      • Function Trigger
    • Runtime APIs
      • addEventListener
      • Cache
      • Cookies
      • Encoding
      • Fetch
      • FetchEvent
      • Headers
      • Request
      • Response
      • Streams
        • ReadableStream
        • ReadableStreamBYOBReader
        • ReadableStreamDefaultReader
        • TransformStream
        • WritableStream
        • WritableStreamDefaultWriter
      • Web Crypto
      • Web standards
      • Images
        • ImageProperties
    • Sample Functions
      • Returning an HTML Page
      • Returning a JSON Object
      • Fetch Remote Resources
      • Authenticating a Request Header
      • Modifying a Response Header
      • Performing an A/B Test
      • Setting Cookies
      • Performing Redirect Based on the Request Location
      • Using the Cache API
      • Caching POST Requests
      • Responding in Streaming Mode
      • Merging Resources and Responding in Streaming Mode
      • Protecting Data from Tampering
      • Rewriting a m3u8 File and Configuring Authentication
      • Adaptive Image Resize
      • Image Adaptive WebP
      • Customize Referer restriction rules
      • Remote Authentication
      • HMAC Digital Signature
      • Naming a Downloaded File
      • Obtaining Client IP Address
    • Best Practices
      • Adaptive Image Format Conversion via Edge Functions
このページは現在英語版のみで提供されており、日本語版も近日中に提供される予定です。ご利用いただきありがとうございます。
Docs Overview/
Edge Developer Platform/
Edge Functions/
Sample Functions/
Customize Referer restriction rules /

Customize Referer restriction rules

This example determines the source of a request by checking the Referer field in the HTTP request header. You can flexibly set the matching rules for the Referer field based on your needs. If the Referer field in a request is missing or its value does not match the preset domain name list, the edge function will block such requests and return a 403 status code to indicate that the access is denied. This is commonly used to restrict access to resources on websites.
async function handleRequest(request) {
  // Collect the Referer
  const referer = request.headers.get('Referer');

  // If the Referer is empty, access is denied
  if (!referer) {
    return new Response(null, { status: 403 });
  }
  
  // Set Referer allowlist
  const urlInfo = new URL(request.url);
  const refererRegExp = new RegExp(`^https?:\/\/${urlInfo.hostname}\/t-[0-9a-z]{10}\/.*`)
  
  // If the Referer is not on the allowlist, access is denied
  if (!refererRegExp.test(referer)) {
    return new Response(null, { status: 403 });
  }

  // Normal request, access EdgeOne node cache or origin-pull
  return fetch(request);
}

addEventListener('fetch', event => {
  // When the function code throws an unhandled exception, the Edge function transmits this request back to the origin
  event.passThroughOnException();
  event.respondWith(handleRequest(event.request));
});

Example Preview

Enter the URL that matches the Edge function triggering rules in the address bar of the browser on the PC end and mobile end (e.g., https://example.com/images/ef-1.jpeg) to preview the example effect.
HTTP request header Referer is https://example.com/t-0123456789/page, and the Edge function responds normally to the image.

HTTP request header Referer is not on the allowlist, and the Edge function identifies it as a leeching link and responds with a 403 status code.


Related References

Runtime APIs: Fetch
Runtime APIs: Headers
Runtime APIs: Response