OSS is a pay-as-you-go service. To reduce extra fees caused by unauthorized access to your OSS data, OSS supports hotlink protection based on the Referer header field in HTTP or HTTPS requests. You can configure a Referer whitelist for a bucket and configure whether to allow access requests with an empty Referer field in the OSS console.

Background information

OSS provides hotlink protection to allow you to configure a Referer whitelist. This way, only requests from the domain names that are included in the Referer whitelist can access bucket resources. This configuration protects your bucket data when your bucket ACL is public read or public read/write. For more information about hotlink protection, see Configure hotlink protection.


  1. Log on to the OSS console.
  2. Click Buckets, and then click the name of the target bucket.
  3. ChooseAccess Control > Hotlink Protection. Click Configure in the Hotlink Protection section to add hotlink protection configurations.
    • Referer Whitelist: Add URLs to the whitelist. Referers are typically in URL format. Separate multiple Referers with new lines. You can use question marks (?) and asterisks (*) as wildcard characters.

      If you add http://www.aliyun.com to the Referer whitelist for a bucket named test-1-001, only requests with a Referer of http://www.aliyun.com can access objects in the test-1-001 bucket.

    • Allow Empty Referer: Configure whether to allow requests in which the Referer field is empty. If you do not allow empty Referers fields, only HTTP or HTTPS requests which include an allowed Referer field value can access the objects in the bucket.
  4. Click Save.


For more information about hotlink protection errors, see How to configure hotlink protection and troubleshoot hotlink protection errors?.