You can configure a Referer whitelist for a bucket to prevent unauthorized access and avoid additional charges for unauthorized access.

Background information

The hotlink protection feature allows you to configure a Referer whitelist for a bucket. This way, only requests from the domain names that are included in the Referer whitelist can access the data in the bucket. OSS allows you to configure Referer whitelists based on the Referer header field in HTTP and HTTPS requests.

The hotlink protection feature is used to verify access to objects only by using signed URLs and anonymous requests. Requests that include the Authorization field in the header are not verified.

For more information about the PutBucketReferer operation, see PutBucketReferer. For more information about hotlink protection, see Configure hotlink protection.

Procedure

  1. Log on to the OSS console.
  2. Click Buckets, and then click the name of the target bucket.
  3. Choose Access Control > Hotlink Protection.
  4. In the Hotlink Protection section, click Configure.
    • Enter domain names or IP addresses in the Referer Whitelist field. Separate multiple Referers with line feeds. You can use asterisks (*) and question marks (?) as wildcards. Examples:
      • If you add www.aliyun.com to the Referer whitelist, requests sent from URLs that start with www.aliyun.com, such as www.aliyun.com/123 and www.aliyun.com.cn are allowed.
      • An asterisk (*) can be used as a wildcard to indicate zero or more characters. If you add *www.aliyun.com/ to the Referer whitelist, requests sent from http://www.aliyun.com/ and https://www.aliyun.com/ are allowed. For example, if you add *.aliyun.com to the Referer whitelist, requests sent from URLs such as help.aliyun.com and www.aliyun.com are allowed.
      • A question mark (?) can be used as a wildcard to indicate a single character. For example, if you add aliyun?.com to the Referer whitelist, requests sent from URLs such as aliyuna.com and aliyunb.com are allowed.
      • You can add domain names or IP addresses that include a port number, such as www.example.com:8080 and 10.10.10.10:8080, to the Referer whitelist.
    • Select whether to turn on Allow Empty Referer to allow requests in which the Referer field is empty.

      An HTTP or HTTPS request that contains an empty Referer indicates that the request does not contain the Referer field or the value of the Referer field is empty.

      If you do not allow empty Referer fields, only HTTP or HTTPS requests that include an allowed Referer field can access the objects in the bucket.

    Note By default, if you preview an MP4 object by using a bucket domain name such as bucketname.oss-cn-zhangjiakou.aliyuncs.com, the browser sends a request that contains the Referer field and a request that does not contain the Referer field at the same time. Therefore, you must add the bucket domain name to the Referer whitelist and allow empty Referer fields. To preview a non-MP4 object by using the bucket domain name, you need only to allow empty Referer fields.
  5. Click Save.

References

For more information about hotlink protection errors, see Referer.