Alibaba Cloud CDN provides the URL signing feature to protect origin servers from unauthorized access and downloads. Hotlink protection provides a referer blacklist and a referer whitelist that can address some hotlink issues. However, the referer header can be forged. Origin servers require protection features that are more optimized than hotlink protection. In this case, you can enable the URL signing feature to protect your origin server.

Background information

URL signing works with both origin servers and edge nodes to protect origin servers from hotlink issues.
  • URLs can be signed by edge nodes. Signed URLs carry signature information that can be used for permission verification.
  • Users send signed URLs to edge nodes.
  • Edge nodes authenticate the signatures of the URLs to determine whether the requests are valid. If a request is valid, the edge node returns a response. If a request is invalid, the edge node rejects the request.

For more information about the sample Python code block for URL signing, see URL signing examples.

Notice After a request passes the authentication, special characters such as equal signs (=) and plus signs (+) in the URL are escaped.

How it works

  • URL signing enabled: If a request is valid, URL parameters are removed from the request. Alibaba Cloud CDN restores the URL to the original one that carries authentication-specific parameters. Then, the original URL is used to generate cache keys or redirected to the origin server.
  • URL signing disabled: Authentication-specific parameters must be removed from user requests. Otherwise, Alibaba Cloud CDN cannot restore requests to the original ones that carry authentication-specific parameters. This results in cache misses, and these requests are redirected to the origin server. In this case, data transfer on the origin server is greatly increased, which also causes the data transfer fee to increase.


  1. Log on to the Alibaba Cloud CDN console.
  2. In the left-side navigation pane, click Domain Names.
  3. On the Domain Names page, find the domain name that you want to manage and click Manage in the Actions column of the domain name.
  4. In the management pane of the domain name, click Access Control.
  5. Click the URL Signing tab.
  6. In the URL Signing section, click Modify.
  7. In the Set URL Signing dialog box, turn on URL Signing and set the parameters.
    Configure URL signing
    Parameter Description
    Alibaba Cloud CDN supports three signing types. You can select a signing type based on your business requirements to protect resources on your origin server. Supported signing types are:
    Note If a URL signing error occurs, a 403 error is returned. Causes of the error include:
    • Invalid MD5 values

      Example: X-Tengine-Error:denied by req auth: invalid md5hash=de7bfdc915ced05e17380a149bd760be

    • Invalid timestamps

      Example: X-Tengine-Error:denied by req auth: expired timestamp=1439469547

    Primary Key Specify the primary key for the selected signing type.
    Secondary Key Specify the secondary key for the selected signing type.
    Authentication Key Validity Period The default validity period is 1,800 seconds (30 minutes). You can set a validity period based on your business requirements. Valid values are 1 to 31536000, in seconds. 31,536,000 seconds equals one year.
  8. Click OK.