I was implicitly referring to the hash validation that seems to be absent of lxc-download.
That’s because it always downloads over https, the hash validation is useful only if you’re going to fetch the data over http.
For firewalling, you can add every one of the servers listed above to your firewall rules.
You can alternatively force the us of https://ca.images.linuxcontainers.org which is a server that will not redirect.
The https brings transport protection, not hosting one. The hash permit to say :
We don’t have to strictly trust our mirrors operators
Anyway, the force scenario proposed is a way to get around it for lxc-download.