Define your secret key within the X-Pull Key setting in your Zone settings. This value can be set up to a custom 15 alphanumeric value.

For users who are using a PHP-based framework, adding the following configuration to your origin server will return a 405 error on Nginx and a Forbidden error on Apache. This configuration links to the PHP-FPM processor thus returning an error for all requests that send the X-Pull header and are associated with PHP such as your CDN pages (e.g. cdn.example.com or example-hexid.kxcdn.com).

Nginx

Nginx users can add the following to their configuration file.

location ~ \.php$ {
    if ($http_x_pull ~* "secretkeyname") {
        return 405;
    }
    fastcgi_split_path_info ^(.+\.php)(/.+)$;
    fastcgi_pass unix:/var/run/php5-fpm.sock;
    fastcgi_index index.php;
    include fastcgi_params;
}

Apache

Apache users can add the following snippet to the .htaccess file. Ensure that you add the snippet at the top of your .htaccess file, otherwise it may not work. The following configuration will return a 403 Forbidden error for all pages using the CDN URL.

RewriteEngine On
RewriteCond %{HTTP:X-Pull} secretkeyname
RewriteRule \.(html|php)$ - [F]

Use the HTTP Header Checker tool to verify if you are receiving the expected response when a request is made with the X-Pull Key.

Once the steps above are configured on your origin server, be sure to purge your Zone cache and try to access a page using your CDN URL. If you receive a 405 error then you have properly configured X-Pull for this use case.