Since the ordinary referrer check is almost useless (sending of a referrer header can be easily disabled by <meta> tag) so there are a few ways of protection :
One of the best ways to protect from hotlink is to bind URL to IP of the browser and specify the list of allows referees. But about 10-15% of visits use dynamic IP (there will be a request to the website from one IP and from another one to CDN). to block hotlinking but allow access to users with dynamic IPs (or cookies disabled) vCDN have the following rule: if IP binding check fails, or cookie check fails, but VALID (non-empty) REFERER is found - then access is granted. You can also add a cookie check - if its value matches the key value, then the request is valid, even if there is no IP binding or no ref (if the ref is, but does not match, the request will be rejected).
If IP binding is not used, the absence of a valid cookie will not reject the request only if there is a valid ref. But to use a cookie, you need to :
It is possible to specify a “white list” of addresses for which the URL signature will not be checked (setting the keycheck_whitelist on the client). It is done through the support team.
URL expiration check
URL with IP binding
URL with IP and cooke binding
Limiting the number of requests from different IP