Configure hotlink protection - Console User Guide| Alibaba Cloud Documentation Center

Configure hotlink protection

Edit in GitHub

Last Updated: Sep 15, 2020 Edit in GitHub

You can configure a Referer whitelist for a bucket to prevent extra fees caused by unauthorized access to the bucket.

Background information

The hotlink protection function allows you to configure a Referer whitelist for a bucket. This way, only requests from the domain names that are included in the Referer whitelist can access the data in the bucket. OSS supports configuring Referer whitelists based on the Referer header field in HTTP or HTTPS requests.

The hotlink protection function verifies only access to objects through signed URLs and anonymous requests. Requests that include the Authorization field in the header are not verified.

For more information about the PutBucketReferer operation, see PutBucketReferer. For more information about hotlink protection, see Configure hotlink protection.

Procedure

Log on to the OSS console.
Click Buckets, and then click the name of the target bucket.
Choose Access Control > Hotlink Protection.
In the Hotlink Protection section, click Configure.
- Enter domain names or IP addresses in the Referer Whitelist box. Separate multiple Referers with new lines. You can use asterisks (*) and question marks (?) as wildcards. Examples:
  - If you add www.aliyun.com to the Referer whitelist, requests sent from URLs that start with www.aliyun.com, such as www.aliyun.com/123 and www.aliyun.com.cn are allowed.
  - If you add *www.aliyun.com/ to the Referer whitelist, requests sent from http://www.aliyun.com/ and https://www.aliyun.com/ are allowed
  - An asterisk (*) can be used as a wildcard to indicate zero or more characters. For example, if you add *.aliyun.com to the Referer whitelist, requests sent from URLs such as help.aliyun.com and www.aliyun.com are allowed.
  - A question mark (?) can be used as a wildcard to indicate a character. For example, if you add aliyun?.com to the Referer whitelist, requests sent from URLs such as aliyuna.com and aliyunb.com are allowed.
  - You can add domain names or IP addresses with a port number, such as www.example.com:8080 and 10.10.10.10:8080, to the Referer whitelist.
- Select whether to turn on Allow Empty Referer to allow requests in which the Referer field is empty.
  An HTTP or HTTPS request with an empty Referer indicates that the request does not contain the Referer field or the value of the Referer field is empty.
  
  If you do not allow empty Referers fields, only HTTP or HTTPS requests which include an allowed Referer field can access the objects in the bucket.
Note By default, if you preview an MP4 object through the bucket endpoint such as bucketname.oss-cn-zhangjiakou.aliyuncs.com, the browser sends a request that contains the Referer field and a request that does not contain the Referer field at the same time. Therefore, you must not only add the bucket endpoint to the Referer whitelist but also allow empty Referer fields. To preview a non-MP4 object through the bucket endpoint, you need only to allow empty Referer fields.
Click Save.

References

For more information about hotlink protection errors, see Referer.