You can configure a referer blacklist or whitelist to authenticate and filter visitors. This can restrict access to Dynamic Route for CDN (DCDN) resources and improve DCDN security. This topic describes how to configure the referer-based hotlink protection feature.

Background information

  • Hotlink protection is implemented based on the HTTP referer mechanism. It uses the referer header field to trace request sources and filter requests.
  • Hotlink protection provides a referer whitelist and a referer blacklist. After a user sends a request to a DCDN node, the node authenticates the user identity based on the referer whitelist or blacklist. If the request passes the authentication, the user is allowed to access the requested resources. If the request fails the authentication, the DCDN node returns a 403 HTTP status code to the user.
  • Hotlink protection is optional. It is disabled by default.
  • Blacklists and whitelists are mutually exclusive. The most recent configuration takes effect.
  • When a domain name is added to the whitelist or blacklist for hotlink protection, an asterisk (*) is automatically prepended to the domain name as a wildcard. For example, if you enter, the domain name that takes effect is * Hotlink protection takes effect on all the subdomains of
  • You can specify whether to allow requests that have an empty referer header to access DCDN resources. If you select Allow resource URL access from browsers, users can access DCDN resources by entering the URL in the address bar of a browser.


  1. Log on to the DCDN console.
  2. In the left-side navigation pane, click Domain Names.
  3. On the Domain Names page, find the domain name that you want to manage, and click Configure in the Actions column.
  4. In the left-side navigation pane on the details page of the specified domain name, click Access Control.
  5. On the Hotlink Protection tab, turn on the Hotlink Protection switch.
  6. Configure a Blacklist or a Whitelist as prompted.
    Configure referer-based hotlink protection
    Parameter Description
    The following hotlink protection types are supported:
    • Blacklist

      Requests sent from domain names in the blacklist are blocked.

    • Whitelist

      Only requests sent from domain names in the whitelist are allowed to access the current resources.

    The blacklist and whitelist are mutually exclusive. The most recent configuration takes effect.

    Rules Separate multiple domain names by pressing Enter. You can use asterisks (*) to specify wildcard referer header fields. For example, you can enter a.* to match or
  7. Click OK.