Directive Reference

valid_referers

The `valid_referers` directive defines a list of allowed referer URLs for incoming requests.

NGINX HTTP Core · serverlocation
Syntaxvalid_referers string | blocked | none;
Defaultnone
Contextserver, location
Arguments1+

Description

The valid_referers directive is used to specify a set of valid referer URLs that can access a resource or location defined in your NGINX configuration. When a request is made to a resource, NGINX checks the HTTP Referer header against the specified list of valid referers. If the referer is not in the specified list, the request can be denied based on the configured behavior (usually via a deny directive).

The directive accepts multiple arguments, allowing you to specify as many valid referer patterns as necessary. A referer can be specified as a fully qualified domain name, a pattern using wildcards (e.g., *.example.com), or by IP addresses. If a referer is not listed or does not match any defined patterns, NGINX can be configured to either allow or deny the request based on the presence or absence of the referer.

Typically used in conjunction with deny and allow directives, valid_referers is crucial for controlling access based on the incoming request's origin, helping prevent hotlinking or unauthorized access to resources.

Config Example

location /protected {
    valid_referers none blocked;
    valid_referers https://www.example.com https://example.com;
    # Optionally deny requests without a valid referer
    if ($invalid_referer) {
        return 403;
    }
}

Be careful with the use of wildcards, as they can unintentionally match more URLs than expected.

Ensure you have configured handling for requests with no referer, especially if using 'blocked' as an argument.

Remember to include the 'none' to allow access without referers if desired.

Related Directives

allowdenyreferer_filter
← Back to all directives