All Products
Search
Document Center

Dynamic Content Delivery Network:Configure a Referer whitelist or blacklist to enable hotlink protection

Last Updated:Feb 29, 2024

Referer-based hotlink protection refers to access control based on the Referer header. For example, you can configure a Referer whitelist to allow only specified requests to access your resources or a blacklist to block specified requests. Referer-based hotlink protection identifies and filters user identities and protects your resources from unauthorized access. This topic describes how to configure a Referer whitelist or blacklist to enable hotlink protection.

Background information

Important
  • By default, this feature is disabled.

  • After you add a domain name to the Referer whitelist or blacklist, the wildcard domain name that matches the domain name is automatically added to the whitelist or blacklist. For example, if you add aliyundoc.com to the whitelist or blacklist, hotlink protection takes effect for all domain names that match *.aliyundoc.com.

  • After you initiate a Range request to a domain name, the browser adds the Referer header to the second Range request. Therefore, you need to add the value of the Referer header to the whitelist.

The Referer header is a component of the header section in HTTP requests and contains information about the source address, including the protocol, domain name, and query string. The Referer header is used to identify the source of a request.

After you configure a Referer whitelist or blacklist, DCDN allows or rejects requests based on user identities. If a request is allowed, DCDN returns the URL of the requested resource. Otherwise, DCDN returns the HTTP 403 status code.

image

How it works

image

Procedure

  1. Log on to the DCDN console.

  2. In the left-side navigation pane, click Domain Names.

  3. On the Domain Names page, find the domain name whose acceleration region you want to change and click Configure.
  4. In the left-side navigation tree of the domain name, click Access Control.

  5. On the Hotlink Protection tab, turn on Hotlink Protection.

  6. Select Blacklist or Whitelist based on your business requirements.

    配置Refer防盗链

    Parameter

    Description

    Type

    • Blacklist

      Requests from domain names that are included in the blacklist cannot access your resources.

    • Whitelist

      Only requests from domain names that are included in the whitelist can access your resources.

    Note

    The blacklist and whitelist are mutually exclusive. You can configure only one type of list at a time.

    Rules

    • You can add multiple domain names to the Referer whitelist or blacklist. Enter one domain name per line. Do not include a space in front of the domain names.

    • You can use asterisks (*) as wildcards. For example, if you add *.developer.aliyundoc.com to the Referer whitelist or blacklist, image.developer.aliyundoc.com or video.developer.aliyundoc.com can be matched.

    Note

    The content that you enter in the Rules field cannot exceed 60 KB.

    Allow resource URL access from browsers.

    By default, the check box is not selected. If you select the check box, requests that contain an empty Referer header are allowed to access DCDN resources, no matter that you configure a Referer whitelist or blacklist. An empty Referer header may suggest one of the following scenarios:

    • The Referer header is not included in the requests.

    • The Referer header is included in the requests, but the value is empty.

  7. Click OK.

Matching logic

The following table describes the matching logic of the Referer header. If the Referer header in a request is not included in the whitelist or is included in the blacklist, DCDN rejects the request and returns HTTP status code 403.

Configured domain name

Referer header value in a request

Matched?

Description

  • www.example.com

  • *.example.com

http://www.example.com/img.jpg

Yes

The domain names in the Referer header match the domain names in the Referer whitelist or blacklist.

http://www.example.com:80/img.jpg

Yes

www.example.com

No

The value of the Referer header in the request does not include the HTTP or HTTPS string.

http://aaa.example.com

Yes

The subdomains in the Referer header are covered by the wildcard domain name in the Referer whitelist or blacklist.

http://aaa.bbb.example.com

Yes

http://example.com

No

The domain name in the Referer header does not match the wildcard domain name that is configured in the Referer whitelist or blacklist. This is because a wildcard domain matches subdomains but does not cover the root domain.

http://www.example.net

No rules matched

The domain name in the Referer header is not included in the blacklist or whitelist. Therefore, the request is allowed according to the default rule.