All Products
Search

This Product

    ApsaraVideo VOD:Configure Referer Hotlink Protection

    Document Center

    ApsaraVideo VOD:Configure Referer Hotlink Protection

    Last Updated:Feb 09, 2026

    Referer-based hotlink protection uses the Referer field in HTTP request headers—such as a Referer whitelist or blacklist—to enforce access control. It identifies and filters visitors to prevent unauthorized use of your website resources. After you configure a Referer whitelist or blacklist, CDN checks each request against the list and either allows or denies access. If allowed, CDN returns the resource URL. If denied, CDN returns HTTP status code 403. This topic describes how to configure Referer hotlink protection.

    Important

    • In ApsaraVideo VOD, Referer hotlink protection is disabled by default. This means any website can access your resources.

    • After you add a domain name to the Referer blacklist or whitelist, the wildcard domain name that matches the domain name is automatically added to the blacklist or whitelist. For example, if you add aliyundoc.com to the Referer blacklist or whitelist, it takes effect for all domain names that match *.aliyundoc.com.

    • For Range requests, browsers add the Referer header on the second request. To allow these requests, add the domain to the Referer whitelist.

    • After enabling Referer hotlink protection in ApsaraVideo VOD, add vod.console.alibabacloud.com to the Referer whitelist to preview videos in the ApsaraVideo VOD console.

    Referer structure

    The Referer header is a component of the header section in HTTP requests and contains information about the source address and is used to identify the source of a request. The Referer header consists of the scheme, domain, path, and parameters. The following figure describes the structure of the Referer header.

    image
    Note

    • The protocol and domain name are required, and the path and query parameters are optional.

    • Alibaba Cloud allows you to specify only domain names as Referers by selecting Ignore Scheme.

    Scenarios

    A Referer blacklist or whitelist is suitable for the following scenarios:

    • Copyright protection: To safeguard copyrighted content on your website, you can use a Referer blacklist or whitelist to allow only authorized websites to access the content.

    • Hotlink protection: Referer whitelists or blacklists can prevent your resources from being used by other websites.

    • Enhanced website security: Only domain names that are included in the Referer whitelist are allowed to access your website resources. This prevents malicious hotlinking or theft of sensitive information.

    • Traffic source management: You can manage the domains that are authorized to use your resources. This ensures the security and stability of your website.

    You can use the feature in different scenarios to protect your website assets, manage traffic, and improve website security.

    How it works

    The server checks the Referer field of each request and rejects a request if the Referer field in the request does not match the pre-configured whitelist. This helps save bandwidth and server resources. Referer rules in Alibaba Cloud CDN:

    • If the Referer header in the request is included in the Referer blacklist or is not included in the Referer whitelist, Alibaba Cloud CDN rejects the request.

    • If the Referer header in the request is included in the Referer whitelist, Alibaba Cloud CDN allows the request.

    image

    Procedure

    1. Log on to the ApsaraVideo VOD console.

    2. In the navigation pane on the left, under Configuration Management, click CDN Configuration > Domain Names.

    3. On the Domain Names page, find the target domain name. Click Actions, then click Configure.

    4. In the navigation pane on the left for that domain, click Resource Access Control.

    5. On the Referer Hotlink Protection tab, click Modify.

    6. Select Blacklist or Whitelist as needed.

      Parameter

      Description

      Type

      • Blacklist

        Requests whose Referer field is in the Referer blacklist cannot access the resources.

      • Whitelist

        Only requests whose Referer field is in the Referer whitelist can access the resources.

      Note

      The whitelist and blacklist are mutually exclusive. You can configure only one of the lists.

      Rules

      • You can add multiple domain names to the Referer blacklist or whitelist. Separate domain names with carriage return characters.

      • You can use asterisks (*) as wildcards to match all domain names. For example, *.example.com matches all subdomains of example.com.

      • You can also omit the asterisk (*) to match the domain and its all subdomains. For example, example.com matches example.com and *.example.com.

      Note

      • The content that you enter in the Rules field cannot exceed 60 KB.

      • You do not need to specify the protocol when you configure rules.

      Redirect URL

      If a request is blocked, HTTP status code 302 and the Location header are returned. This parameter is the value of the Location header. The value must start with http:// or https://, such as http://www.example.com.

      Advanced

      Allow resource URL access from browsers

      By default, the check box is not selected. If you select the check box, requests that contain an empty Referer header are allowed to access CDN resources, regardless of whether you configure a Referer blacklist or whitelist.

      • The Referer header is not included in the requests.

      • The Referer header is included, but the value is empty.

      Exact match

      By default, this option is not selected. If selected, wildcards (*) are no longer supported for domain matching. For example, example.com matches only example.com—not its subdomains.

      Ignore scheme

      • If you do not select Ignore Scheme, the value of the Referer header must start with http:// or https://.

      • If you select Ignore Scheme, the value of the Referer header does not need to start with http:// or https://.

    7. Click OK to complete the configuration.

    Referer matching logic

    The table below shows how Referer matching works. If a request does not match the whitelist—or matches the blacklist—CDN rejects the request and returns HTTP status code 403.

    List configuration

    Referer in request

    Match result

    Matching logic

    • www.example.com

    • *.example.com

    http://www.example.com/img.jpg

    Yes

    The domain in the Referer header matches an entry in the rule list.

    http://www.example.com:80/img.jpg

    Yes

    www.example.com

    For more information, see the description of the matching logic.

    • If Ignore scheme is not selected, the result is No. The Referer header lacks http:// or https://.

    • If Ignore scheme is selected, the result is Yes.

    http://aaa.example.com

    Yes

    Result is Yes regardless of whether Exact match is selected.

    http://aaa.bbb.example.com

    See explanation

    • If Exact match is not selected, the result is Yes. The rule *.example.com matches multi-level subdomains.

    • If Exact match is selected, the result is No. The rule *.example.com matches only second-level domains—not third-level domains.

    http://example.com

    No

    The second-level domain in the Referer header does not match the wildcard entry. Wildcard entries do not include the second-level domain itself.

    http://www.example.net

    No match

    The request matches neither the whitelist nor the blacklist. By default, access is allowed.

    FAQ

    Why does the Referer header sometimes lack http:// or https://?

    In most cases, the HTTP or HTTPS string is included in the Referer header in a request.

    However, in some cases, when a browser navigates a request from a website that does not use HTTPS to a website that uses HTTPS, the browser may present only the domain name in the Referer header. This is to protect sensitive user data based on security policies such as Referrer-Policy.

    In addition, some browsers or proxy servers may automatically exclude the Referer string in specific scenarios, such as access in private browsing mode or by using an anonymous proxy.

    So in practice, handle requests where the Referer header lacks http:// or https:// to ensure correct evaluation.

    Why is the Referer header empty in a request? What do I do to resolve the issue?

    In most cases, the Referer header in a request contains the full URI, which includes the protocol, such as http or https, the hostname, and possibly the path and query string. The Referer header in a request may be empty due to the following reasons:

    • Direct access: If a user enters a URL in the address bar of a browser, uses a bookmark, or opens a new blank browser tab, the Referer header is empty because a referring page does not exist.

    • User privacy settings: Users configure private browsing mode or use privacy-focused extensions to remove the Referer header out of privacy concerns.

    • Security protocol: If a request is redirected from an HTTPS page to an HTTP page, the browser does not present the Referer header to prevent leakage of sensitive information.

    • Client policy: For security purposes, some websites or applications may restrict the browser from sending the Referer header by specifying the <meta> tag or HTTP headers, such as Referrer-Policy.

    • Cross-origin requests: Specific cross-origin requests may not include the Referer header based on the security policy of the browser.

    The handling measures vary with different scenarios and security requirements:

    • Default policy: If your service does not rely on the Referer header, you can allow requests that have an empty Referer header.

    • Allow access: For specific URLs or sources, you can select Allow resource URL access from browsers to allow only requests from these URLs or sources. This way, POPs allow users to access your resources regardless of whether the Referer header is empty.