You can configure a Referer whitelist for a bucket to prevent your resources in the bucket from unauthorized access.

Background information

The hotlink protection feature allows you to configure a Referer whitelist for a bucket and select whether to allow the empty Referer field. This way, only requests from the domain names that are included in the Referer whitelist can access the data in the bucket. You can configure Referer whitelists based on the Referer header field in HTTP and HTTPS requests.

The following scenarios describe whether to use hotlink protection to verify access to Object Storage Service (OSS):

  • Only anonymous requests and requests that contain signed URLs are verified.
  • Requests that contain the Authorization header field are not verified.
OSS determines the source from which a request is sent based on the Referer header field in the request. To indicate the source from which the request is sent, the Referer field is contained in the request that is received by the web server from a browser. OSS determines whether to allow or deny the request based on the Referer field contained in the request and the Referer whitelist configured for the specified bucket. If the Referer field in the request matches the Referer whitelist, the request is allowed. Otherwise, the request is denied. For example, a bucket has the Referer whitelist set to https://10.10.10.10:
  • User A adds an image object named test.jpg to the https://10.10.10.10 website. When a user accesses the image on the website, the browser sends a request in which the value of the Referer field is https://10.10.10.10. OSS allows the request because the Referer field in the request is included in the Referer whitelist.
  • User B adds the URL of the image object to the https://192.168.0.0 website without authorization. When a user accesses the image on the website, the browser sends a request in which the value of the Referer field is https://192.168.0.0. OSS denies the request because the Referer field in the request is excluded in the Referer whitelist.

For more information about the PutBucketReferer operation, see PutBucketReferer.

To set conditions on users who can access part of or all of the resources in your bucket and who can perform certain operations on the resources in your bucket, we recommend that you configure bucket policies. For example, you can configure a bucket policy to allow only users from specified IP addresses to access the bucket. For more information about bucket policies, see Configure bucket policies to authorize other users to access OSS resources.

Implementation methods

Implementation method Description
Console A user-friendly and intuitive web application
ossutil A high-performance command-line tool
Java SDK SDK demos for various programming languages
Python SDK
PHP SDK
Go SDK
C SDK
.NET SDK
Node.js SDK
Ruby SDK

Referer

This section describes how to configure Referers for a bucket, how to use wildcards in Referers, and the effects of different Referer configurations.

  • Configure Referers
    • You can configure multiple Referers for a bucket. When you configure Referers in the OSS console, press the Enter key to use line feeds to separate Referers. When you call API operations to configure Referers, use commas (,) to separate Referers.
    • You can use asterisks (*) and question marks (?) as wildcards in Referers.
      • An asterisk (*) can be used as a wildcard to indicate zero or multiple characters. For example, if you add *.aliyun.com to the Referer whitelist of a bucket and turn off Allow Empty Referer, only HTTP or HTTPS requests in which the Referer field contains aliyun.com are allowed to access your resources, such as help.aliyun.com and www.aliyun.com. If you add *.aliyun.com to the Referer whitelist and turn on Allow Empty Referer, requests in which the Referer field is empty are also allowed to access your resources.
      • A question mark (?) can be used as a wildcard to indicate a character. If you add a question mark (?) to the Referer whitelist and turn off Allow Empty Referer, only HTTP or HTTPS requests in which the Referer field is contained are allowed to access your resources. If you add a question mark (?) to the Referer whitelist and turn on Allow Empty Referer, requests in which the Referer field is empty are also allowed to access your resources.

      For more examples of Referer configurations, see Configure hotlink protection.

  • Effects of Referer configurations
    • If the Referer whitelist is empty and empty Referer fields are allowed, all requests are denied.
    • If the Referer whitelist is not empty and empty Referer fields are not allowed, only requests that contain the Referers specified in the whitelist are allowed.
    • If the Referer whitelist is not empty and empty Referer fields are allowed, only requests in which the Referer field matches the whitelist or the Referer field is empty are allowed.

References

For more information about hotlink protection errors, see Referer.