OSS allows you to call the PutBucketReferer operation to set the Referer whitelist to prevent unauthorized users from accessing OSS data.

Note For more information about the PutBucketReferer operation, see PutBucketReferer.
To configure hotlink protection, you must set the following parameters:
  • RefererList: specifies the domains that are allowed to access OSS resources.
  • AllowEmptyReferer: specifies whether the Referer field can be left empty in a request. If AllowEmptyReferer is set to false, you must include the Referer field in the HTTP or HTTPS request header to access OSS resources.

For example, if you add https://www.aliyun.com/ to the referer whitelist of a bucket named oss-example, only users who set the Referer field to https://www.aliyun.com/ in their requests can access the objects in this bucket.

Implementation methods

Implementation method Description
Console A user-friendly and intuitive web application
ossutil A high-performance command-line tool
OSS SDK for Java SDK demos for various programming languages
OSS SDK for Python
OSS SDK for PHP
OSS SDK for Go
OSS SDK for C
OSS SDK for .NET
OSS SDK for Node.js
OSS SDK for Ruby

Detail analysis

  • Referer validation
    • Hotlink protection validation is only required when you access an object anonymously or through a signed URL. Hotlink protection validation is not required if the request header contains the Authorization field.
    • Hotlink protection validation is required when the ACL of a bucket is private, public read, or public read/write.
  • Referer configuration
    • A bucket supports multiple Referer parameters. If you set multiple Referer parameters in the console, you can separate them with line breaks. If you set multiple Referer parameters by calling the PutBucketReferer operation, you can separate them with commas (,).
    • You can use wildcards such as asterisks (*) and question marks (?) to set Referer parameters.
  • Referer effects
    • If the referer whitelist is empty, OSS will not check whether the Referer field of requests is empty. If OSS checks this field, OSS will reject all requests.
    • If the referer whitelist is not empty and AllowEmptyReferer is set to false, OSS will only allow requests from Referers listed in the whitelist and reject all other requests, including those in which the Referer field is left empty.
    • If the referer whitelist is not empty and AllowEmptyReferer is set to true, OSS will allow requests from both Referers listed in the whitelist as well as requests in which the Referer field is left empty. All other requests will be rejected.

Wildcards

  • Asterisk (*): used to replace zero or multiple characters. For example, if you are looking for an object whose name starts with AEW but you do not remember the rest of its name, you can enter AEW* to search for all objects whose names start with AEW, such as AEWT.txt, AEWU.EXE, and AEWI.dll. To narrow down the search scope, you can enter AEW*.txt to search for all .txt objects whose names start with AEW, such as AEWIP.txt and AEWDF.txt.
  • Question mark (?): used to replace a single character. For example, if you enter love?, all objects whose names start with love and end with one character are displayed, such as lovey and lovei. To narrow down the search scope, you can enter love?.doc to search for all .doc objects whose names start with love and end with one character, such as lovey.doc and loveh.doc.

References

For hotlink protection FAQ, see Referer.