You can configure a Referer whitelist for a bucket to prevent extra fees caused by
unauthorized access to the bucket.
Background information
The hotlink protection function allows you to configure a Referer whitelist for a
bucket. This way, only requests from the domain names that are included in the Referer
whitelist can access the data in the bucket. OSS supports configuring Referer whitelists
based on the Referer header field in HTTP or HTTPS requests.
The hotlink protection function verifies only access to objects through signed URLs
and anonymous requests. Requests that include the Authorization field in the header
are not verified.
For more information about the PutBucketReferer operation, see PutBucketReferer. For more information about hotlink protection, see Configure hotlink protection.
Procedure
- Log on to the OSS console.
- Click Buckets, and then click the name of the target bucket.
- Choose .
- In the Hotlink Protection section, click Configure.
- Enter domain names or IP addresses in the Referer Whitelist box. Separate multiple Referers with new lines. You can use asterisks (*) and question
marks (?) as wildcards. Examples:
- If you add www.aliyun.com to the Referer whitelist, requests sent from URLs that start
with www.aliyun.com, such as www.aliyun.com/123 and www.aliyun.com.cn are allowed.
- If you add *www.aliyun.com/ to the Referer whitelist, requests sent from http://www.aliyun.com/ and https://www.aliyun.com/ are allowed
- An asterisk (*) can be used as a wildcard to indicate zero or more characters. For
example, if you add *.aliyun.com to the Referer whitelist, requests sent from URLs
such as help.aliyun.com and www.aliyun.com are allowed.
- A question mark (?) can be used as a wildcard to indicate a character. For example,
if you add aliyun?.com to the Referer whitelist, requests sent from URLs such as aliyuna.com and aliyunb.com are allowed.
- You can add domain names or IP addresses with a port number, such as www.example.com:8080 and 10.10.10.10:8080, to the Referer whitelist.
- Select whether to turn on Allow Empty Referer to allow requests in which the Referer field is empty.
An HTTP or HTTPS request with an empty Referer indicates that the request does not
contain the Referer field or the value of the Referer field is empty.
If you do not allow empty Referers fields, only HTTP or HTTPS requests which include
an allowed Referer field can access the objects in the bucket.
Note By default, if you preview an MP4 object through the bucket endpoint such as bucketname.oss-cn-zhangjiakou.aliyuncs.com,
the browser sends a request that contains the Referer field and a request that does
not contain the Referer field at the same time. Therefore, you must not only add the
bucket endpoint to the Referer whitelist but also allow empty Referer fields. To preview
a non-MP4 object through the bucket endpoint, you need only to allow empty Referer
fields.
- Click Save.
References
For more information about hotlink protection errors, see Referer.