You can configure a referer blacklist or whitelist to authenticate and authorize visitors. This can restrict access to CDN resources and improve CDN security. This topic describes how the hotlink protection feature of Alibaba Cloud CDN works and how to configure the feature.

Background information

  • Hotlink protection is implemented by the HTTP referer mechanism. Referer is used to track and identify where requests come from.
  • Hotlink protection supports blacklist or whitelist configuration. When a CDN node receives resource requests from users, it will filter requests based on the configured blacklist or whitelist. A request with the domain name in the whitelist will be allowed. A request with the domain name in the blacklist will be rejected and status code 403 will be returned.
Notice
  • Hotlink protection is optional. By default, hotlink protection is disabled.
  • The blacklist and whitelist are mutually exclusive, and whichever configured last takes effect.
  • When a domain name is added to the whitelist or blacklist, a wildcard (*) is automatically prepended to the domain name. For example, if you enter a.com, the domain name that actually takes effect is *.a.com. Hotlink protection takes effect on all the subdomains of a.com.
  • You can select the check box to specify whether to allow requests with an empty referer header to access CDN resources. If the check box is selected, you can directly access CDN resources by entering a URL in the address bar of your browser.

Procedure

  1. Log on to the Alibaba Cloud CDN console.
  2. In the left-side navigation pane, click Domain Names.
  3. On the Domain Names page, find the target domain name and click Manage.
  4. In the left-side navigation pane of the specified domain, click Access Control.
  5. On the Hotlink Protection tab, click Modify.
  6. Configure Blacklist or Whitelist as prompted.
    Parameter Description
    Type
    The following two types are supported:
    • Blacklist

      Blacklisted domain names cannot be used to access the current CDN resources.

    • Whitelist

      Only whitelisted domain names can be used to access the current CDN resources.

    The blacklist and whitelist are mutually exclusive, and whichever configured last takes effect.

    Rules Separate multiple domain names with carriage return characters. You can use wildcards (*) to perform a fuzzy match. For example, a.*b.com can match a.aliyun.b.com or a.img.b.com.
    Hotlinking Protection
  7. Click OK.