Protect source images - Object Storage Service - Alibaba Cloud Documentation Center

Object Storage Service (OSS) provides the source image protection feature to protect your images from being used by unauthorized anonymous requesters. After you enable source image protection for your bucket, anonymous requesters can access images in the bucket only by adding style parameters to the request or using a signed URL.

Background information

You can use one of the following methods to access an image in a bucket for which the source image protection feature is enabled:

Use the object URL that contains the style parameters in the following format: https://BucketName.Endpoint/ObjectName?x-oss-process=style/StyleName.
Use the object URL that contains a signature in the following format: https://BucketName.Endpoint/ObjectName?Signature.

Procedure

Log on to the OSS console.
In the left-side navigation pane, click Buckets. On the Buckets page, find and click the desired bucket.
In the left-side navigation tree, choose Data Processing > IMG.
On the IMG page, click Access Settings.

In the Access Settings panel, turn on Source Image Protection and configure the parameters described in the following table.

Parameter	Description
Source Image Protection Rule	You can configure up to 10 rules. A rule includes a prefix, a suffix, or both. Note The source image protection rule function is in public preview. To use source image protection rules, contact technical support. When you configure a source image protection rule, take note of the following items: You can include a prefix, a suffix, or both in a rule for source image protection. If you configure both a prefix and a suffix, only images whose names contain both the specified prefix and suffix are protected by the rule. Note You can use a prefix to protect all objects in a directory. For example, to protect images in the image/ directory, set the prefix to `image/`. If multiple rules are configured for the objects in a bucket, images whose names match one of the rules are protected. If you specify both source image protection rules and protected image extensions, images whose names match one or more of the rules or contain the specified extension are protected. If you want the prefix and suffix specified in the rule to be case-insensitive, select Case Insensitive.
Protected Image Extensions	Select an image extension from the Protected Image Extensions drop-down list. All objects in the bucket that match the specified extension are protected. Note If you select `*`, all image objects in the bucket are protected.
Delimiters	The following delimiters are supported: hyphens (-), underscores (_), forward slashes (/), and exclamation points (!). After you specify delimiters, you can use the delimiters to replace style parameters. This simplifies IMG URLs. For example, you use an IMG URL that contains style parameters to access an image. The URL format is https://BucketName.Endpoint/ObjectName?x-oss-process=style/StyleName. If you specify exclamation points (!) as the delimiter, you can simplify the URL as http(s)://BucketName.Endpoint/ObjectName!StyleName.

Click OK.

FAQ

Why is HTTP status code 403 returned when I access a protected image, whereas HTTP status code 200 is returned when I access the image over Alibaba Cloud CDN?
A possible cause is that the request is redirected to access a private bucket over Alibaba Cloud CDN. Source image protection applies only to anonymous access requests, not access requests that include signature information.
Why can my source image still be accessed by using a signed URL when source image protection is enabled for the image?
Source image protection applies only to anonymous access requests. Users who access objects by using signed URLs are not anonymous. Therefore, the source image can be accessed by using a signed URL even if you enable source image protection.