You can configure a Referer whitelist or blacklist to specify whether Referer headers with empty values are allowed to access your resources. You can use the Referer header to control access to resources and protect websites from unauthorized access.

Background information

The Referer header is a component of the header section in HTTP requests and carries information about the source address, including the protocol, domain name, and query string. Referer is used to identify the source of a request.

You can configure a Referer whitelist or blacklist to identify the sources of requests that are sent to CDN nodes, and determine whether to allow the requests to access your resources. If a request is authorized, Alibaba Cloud CDN returns the URL of the requested resource. If a request is not authorized, Alibaba Cloud CDN returns an HTTP 403 status code.

Notice
  • By default, hotlink protection is disabled.
  • After you add a domain name to the Referer whitelist or blacklist, the wildcard domain name that the domain name matches is automatically added to the whitelist or blacklist. For example, if you add a.com to the whitelist or blacklist, the domain name that takes effect is *.a.com. Hotlink protection takes effect on all domain names that match *.a.com.

Procedure

  1. Log on to the Alibaba Cloud CDN console.
  2. In the left-side navigation pane, click Domain Names.
  3. On the Domain Names page, find the domain name that you want to manage and click Manage in the Actions column of the domain name.
  4. In the management pane of the domain name, click Access Control.
  5. On the Hotlink Protection tab, click Modify.
  6. Select Blacklist or Whitelist based on your business requirements.
    Parameter Description
    Type
    • Blacklist

      Requests from the domain names in the blacklist cannot access the current resource.

    • Whitelist

      Only requests from the domain names in the whitelist are allowed to access the current resource.

    Note Blacklists and whitelists are mutually exclusive. You can configure only one of them.
    Rules
    • You can add multiple domain names to the Referer whitelist or blacklist. Separate domain names with carriage return characters.
    • You can use an asterisk (*) to specify wildcard domain names. For example, if you specify a.*b.com, a.aliyun.b.com and a.img.b.com match the wildcard domain name.
    Allow resource URL access from browsers If you select this check box, requests that have empty Referer values or do not carry the Referer field, such as requests sent from browsers, are allowed to access the current resource regardless of the Referer whitelist or blacklist.
  7. Click OK.