Getting started

Integration & migration

Image & video API

DAM user guide

API overview

Account

Advanced Web Application Firewall

Learn about how to prevent hotlinking based on referrer, block IPs, and more using ImageKit's advanced security settings.


Enterprise plan only
This feature is only available in custom enterprise pricing plans.

Besides basic security features, ImageKit provides advanced security settings to prevent hotlinking based on referrer, block IPs, and more. These settings give you more control over who can access your assets.

The advanced security settings include the following features:

  1. IP and IP range blocking.
  2. Optimized asset delivery based on user agents. This is needed for delivering WebP or AVIF images on mobile applications as they don't follow standard Content Negotiation conventions based on the Accept header value.
  3. Geographic restriction.
  4. HTTP Referrer-based restriction.
  5. User Agent based restriction.
  6. Improved caching of assets.

How to configure?

If your plan includes this feature, please get in touch with us at support@imagekit.io to set it up for your account. Once enabled and configured, you can use this feature from your ImageKit account's dashboard.

IP and IP range blocking

Limits

  • You can block at most 100 absolute IPs or IP ranges.
  • Only IPv4 blocking is supported.

This feature blocks absolute IPs or IP ranges from accessing content. Any request from these unauthorized IPs would result in an HTTP 403 error response, and the asset will not be delivered.

To block IPs, you need to provide a list of valid absolute IPv4 addresses or IPv4 ranges in CIDR notation separated by a new line in the input - using the advanced security settings in the dashboard.

Examples of valid input-

  • Absolute IPv4 - 163.120.4.15.
  • IPv4 range using CIDR notation - 10.0.0.0/24. This blocks all IPs in range 10.0.0.0 to 10.0.0.255.

Optimized asset delivery based on user agents

Limits

  • You can configure at most 10 user agents for WebP image delivery.

You can set the user agents for which you want to deliver optimized assets using this feature. Using this, you can serve optimized images on your application.

To configure this setting for your requests, go to the advanced security settings on the dashboard to provide a list of user agents, each separated by a new line.

These user agents do not have to be exactly the same as the user agent header sent in the request. If the user agent in your request has any of the defined user agents as a substring, ImageKit will send the optimized asset. User-agent match is case-insensitive.

For requests with one of the configured user agents, you can select the accept header from the options in the drop-down menu. This helps in the detection of the format of the asset to be delivered as well as in caching.

For example:

  • If you configure the user agent Android 11 and accept headers for the configured user agents image/webp,image/apng,*/*;q=0.8, for a request having the user agent header Linux; U; Android 11, ImageKit would deliver a WebP image.

Geographic restriction

ImageKit provides geographic restriction that allows you to restrict access to assets at the country level.

There are three options for geographic restriction-

  • Blocklist
  • Allowlist
  • No restriction

By default, no geographic restrictions are applied.

HTTP Referrer-based restriction

Limits

You can allow or block at most 30 referrers.

The Referer HTTP request header contains the absolute or partial address of the page that makes the request. It allows a server to identify a page from which people are requesting the resource.

Referrer-based restriction ensures that content only loads on requests from authorized domains. Any unauthorized request will result in an HTTP 403 error, and the asset will not be delivered.

ImageKit provides three options for referrer restriction-

  • Blocklist
  • Allowlist
  • No restriction

To block or allow domains, you need to provide a list of valid URLs (Each URL must include at least the scheme and domain name) separated by a new line. The exact domain mentioned in the URLs would be allowed or blocked.

For example:

  • If you add https://ik.imagekit.io to the allowlist, the URL ik.imagekit.io will be allowed.
  • If you add https://developer.mozilla.org/en-US/search?q=URL to the blocklist, the domain developer.mozilla.org will be restricted.

Note: Wildcard domain restrictions are not supported at this time.

Uses

The blocklist will block domains that are hotlinking your content or assets, increasing bandwidth usage and hosting costs. If your assets are undesirably hotlinked on other websites, the blocklist can save you significant costs.

The allowlist allows only selected domains to access your assets. For example, you can use it to serve content only on your allowed domains and automatically block other referrers.

If you do not want any HTTP referrer restriction, you can opt for no restriction, which is the default behavior.

User Agent based restriction

Limits

  • You can configure 10 user agents to block at most.

This feature blocks user agents from accessing content. Any request with a blocked user agent will result in an HTTP 403 error, and the asset will not be delivered.

To configure this setting for your requests, go to the advanced security settings on the dashboard to provide a list of user agents, each separated by a new line.

These user agents do not have to be exactly the same as the user agent header sent in the request. If the user agent in your request has any of the defined user agents as a substring, ImageKit will block the request. User-agent match is case-insensitive.

For example:

  • If you configure the user agent Bytespider for a request with the user agent header Linux; U; Bytespider/3.0, ImageKit will block the request.