anti-hotlinking with referer header

[chencch]

Some users want to protect against hotlinking. A simple way is checking the value of Referer header with a CloudFront Functions function. The request will be rejected if the referer is not in the allow list.

There is a Lambda@Edge code example on Github, but no CloudFront Functions code.

The following is my CFF code. It has been tested in my environment and has been deployed in the production of a few customers. I was wondering if it is useful for this project?

//Escape "." character in a string
RegExp.escape = function(string) {
    return string.replace(/\./g, '\\.');
};

function handler(event) {
    var request = event.request;
    var headers = request.headers;

    var referrer = headers['referer'];

    var response = {
        statusCode: 403,
        statusDescription: 'Forbidden',
        headers: {
            'content-type': { 'value': 'text/plain' }
        },
        body: 'Invalid referrer domain'
    };

    // Allow requests without the Referer header
    if (!referrer) return request;
    // Or block requests without the Referer header
    // if (!referrer) return response;

    var fqdn = referrer['value'].split('/')[2];

    // Input your allowed domain name here
    var allowedDomains = [
        'domain1.com',
        '*.domain1.com',
        'domain2.com',
        '*.domain2.com',
        'sub.domain3.com',
        '*.sub.domain3.com'
    ];

    var allowedRegexList = [];

    //Convert string to regex
    for (var i=0; i<allowedDomains.length; i++) {
        var domainName = allowedDomains[i];
        if (domainName.startsWith('*')) {
            domainName = domainName.replace('*', '');
            var reg = new RegExp(RegExp.escape(domainName) + '$');
        } else {
            reg = new RegExp('^' + RegExp.escape(domainName) + '$');
        }
        allowedRegexList.push(reg);
    }

    var matchFound = false;
    for (var j=0; j<allowedRegexList.length; j++) {
        if (fqdn.match(allowedRegexList[j])) {
            matchFound = true;
            break;
        }
    }

    if (!matchFound) return response;

    return request;
}

[techmav]

faced with domain limit
34 domains - all good
35 - fails
seems like reaching some limit

update: found the problem it is caused by "Compute utilization"
The CloudFront function associated with the CloudFront distribution is invalid or could not run. RangeError: Regex execute instruction limit exceeded

[chencch]

Hi @techmav , I appreciate your valuable feedback.

The reason for this is the use of regular expressions, which can be computationally expensive and exceed the maximum execution time of 1 millisecond. This happens because:

• The function builds and processes multiple regex patterns dynamically at runtime.
• When 35+ domains are added, the regex execution overhead grows due to multiple wildcard patterns (*.domain.com), leading to increased compute utilization.
• The original code processes each regex separately, which leads to repeated match() calls on multiple patterns. This scales poorly when many domains are involved.

Instead of looping through multiple regex patterns, we may optimize the function by using endsWith:

function handler(event) {
    var request = event.request;
    var headers = request.headers;
    var referrer = headers['referer'];

    var response = {
        statusCode: 403,
        statusDescription: 'Forbidden',
        headers: {
            'content-type': { 'value': 'text/plain' }
        },
        body: 'Invalid referrer domain'
    };

    if (!referrer) return request;  // Allow requests without Referer

    var fqdn = referrer['value'].split('/')[2];

    // Define allowed domains (wildcards use suffix matching)
    var allowedDomains = [
        'domain1.com', 'domain2.com', 'domain3.com', 'domain4.com', 'domain5.com',
        'domain6.com', 'domain7.com', 'domain8.com', 'domain9.com', 'domain10.com',
        'domain11.com', 'domain12.com', 'domain13.com', 'domain14.com', 'domain15.com',
        'domain16.com', 'domain17.com', 'domain18.com', 'domain19.com', 'domain20.com',
        'domain21.com', 'domain22.com', 'domain23.com', 'domain24.com', 'domain25.com',
        'domain26.com', 'domain27.com', 'domain28.com', 'domain29.com', 'domain30.com',
        'domain31.com', 'domain32.com', 'domain33.com', 'domain34.com', 'domain35.com',
        'domain36.com', 'domain37.com', 'domain38.com', 'domain39.com', 'domain40.com',
        'domain41.com', 'domain42.com', 'domain43.com', 'domain44.com', 'domain45.com',
        'domain46.com', 'domain47.com', 'domain48.com', 'domain49.com', 'domain50.com'
    ];
    var allowedWildcards = [
        '.domain1.com', '.domain2.com', '.domain3.com', '.domain4.com', '.domain5.com',
        '.domain6.com', '.domain7.com', '.domain8.com', '.domain9.com', '.domain10.com',
        '.domain11.com', '.domain12.com', '.domain13.com', '.domain14.com', '.domain15.com',
        '.domain16.com', '.domain17.com', '.domain18.com', '.domain19.com', '.domain20.com',
        '.domain21.com', '.domain22.com', '.domain23.com', '.domain24.com', '.domain25.com',
        '.domain26.com', '.domain27.com', '.domain28.com', '.domain29.com', '.domain30.com',
        '.domain31.com', '.domain32.com', '.domain33.com', '.domain34.com', '.domain35.com',
        '.domain36.com', '.domain37.com', '.domain38.com', '.domain39.com', '.domain40.com',
        '.domain41.com', '.domain42.com', '.domain43.com', '.domain44.com', '.domain45.com',
        '.domain46.com', '.domain47.com', '.domain48.com', '.domain49.com', '.domain50.com'
    ];

    // Check exact domain match
    if (allowedDomains.includes(fqdn)) return request;

    // Check wildcard domains using `endsWith`
    for (var i = 0; i < allowedWildcards.length; i++) {
        if (fqdn.endsWith(allowedWildcards[i])) return request;
    }

    return response;  // Reject if no match
}