You can configure a Referer whitelist for a bucket to prevent unauthorized access and avoid additional charges for unauthorized access.
The hotlink protection feature allows you to configure a Referer whitelist for a bucket. This way, only requests from the domain names that are included in the Referer whitelist can access the data in the bucket. OSS allows you to configure Referer whitelists based on the Referer header field in HTTP and HTTPS requests.
The hotlink protection feature is used to verify access to objects only by using signed URLs and anonymous requests. Requests that include the Authorization field in the header are not verified.
- Log on to the OSS console.
- Click Buckets, and then click the name of the target bucket.
- Choose .
- In the Hotlink Protection section, click Configure.
Note By default, if you preview an MP4 object by using a bucket domain name such as bucketname.oss-cn-zhangjiakou.aliyuncs.com, the browser sends a request that contains the Referer field and a request that does not contain the Referer field at the same time. Therefore, you must add the bucket domain name to the Referer whitelist and allow empty Referer fields. To preview a non-MP4 object by using the bucket domain name, you need only to allow empty Referer fields.
- Enter domain names or IP addresses in the Referer Whitelist field. Separate multiple Referers with line feeds. You can use asterisks (*) and
question marks (?) as wildcards. Examples:
- If you add
www.aliyun.comto the Referer whitelist, requests sent from URLs that start with www.aliyun.com, such as www.aliyun.com/123 and www.aliyun.com.cn are allowed.
- An asterisk (*) can be used as a wildcard to indicate zero or more characters. If
*www.aliyun.com/to the Referer whitelist, requests sent from http://www.aliyun.com/ and https://www.aliyun.com/ are allowed. For example, if you add
*.aliyun.comto the Referer whitelist, requests sent from URLs such as help.aliyun.com and www.aliyun.com are allowed.
- A question mark (?) can be used as a wildcard to indicate a single character. For
example, if you add
aliyun?.comto the Referer whitelist, requests sent from URLs such as aliyuna.com and aliyunb.com are allowed.
- You can add domain names or IP addresses that include a port number, such as www.example.com:8080 and 10.10.10.10:8080, to the Referer whitelist.
- If you add
- Select whether to turn on Allow Empty Referer to allow requests in which the Referer field is empty.
An HTTP or HTTPS request that contains an empty Referer indicates that the request does not contain the Referer field or the value of the Referer field is empty.
If you do not allow empty Referer fields, only HTTP or HTTPS requests that include an allowed Referer field can access the objects in the bucket.
- Enter domain names or IP addresses in the Referer Whitelist field. Separate multiple Referers with line feeds. You can use asterisks (*) and question marks (?) as wildcards. Examples:
- Click Save.
For more information about hotlink protection errors, see Referer.