Referer-based hotlink protection refers to access control based on the Referer header. For example, you can configure a referer whitelist to allow only specified requests to access your resources or a blacklist to block specified requests. Referer-based hotlink protection identifies and filters user identities and protects your resources from unauthorized access. This topic describes how to configure a referer whitelist or blacklist to enable hotlink protection.

Background information

Important
  • By default, this feature is disabled.
  • After you add a domain name to the referer whitelist or blacklist, the wildcard domain name that matches the domain name is automatically added to the whitelist or blacklist. For example, if you add aliyundoc.com to the whitelist or blacklist, the domain name that takes effect is *.aliyundoc.com. Hotlink protection takes effect on all domain names that match *.aliyundoc.com.

The referer header is a component of the header section in HTTP requests and contains information about the source address, including the protocol, domain name, and query string. Referer is used to identify the source of a request.

After you configure a referer whitelist or blacklist, Alibaba Cloud CDN allows or denies requests based on user identities. If a request is allowed, Alibaba Cloud CDN returns the URL of the requested resource. Otherwise, Alibaba Cloud CDN returns the HTTP 403 status code.

Referer-based hotlink protection

Procedure

  1. Log on to the Alibaba Cloud CDN console.
  2. In the left-side navigation pane, click Domain Names.
  3. On the Domain Names page, find the domain name that you want to manage and click Manage in the Actions column.
    Domain Names
  4. In the left-side navigation pane of the domain name, click Access Control.
  5. On the Hotlink Protection tab, click Modify.
  6. Select Blacklist or Whitelist based on your business requirements.
    Referer-based hotlink protection
    ParameterDescription
    Type
    • Blacklist

      Requests from the domain names in the blacklist cannot access the resources.

    • Whitelist

      Only the requests from the domain names in the whitelist can access the resources.

    Note Blacklists and whitelists are mutually exclusive. You can configure only one type of list at a time.
    Rules
    • You can add multiple domain names to the referer whitelist or blacklist. Separate domain names with carriage return characters.
    • You can use an asterisk (*) wildcard character to specify wildcard domain names. If you add *.developer.aliyundoc.com to the whitelist or blacklist, image.developer.aliyundoc.com or video.developer.aliyundoc.com can be matched.
    Note The maximum size of the content that you enter in the Rules field cannot exceed 60 KB.
    Redirect URLWhitelist:

    Specifies the redirect URL. If the referer information in the request does not match the whitelist, the 403 status code is not returned after the request is blocked. Instead, the 302 status code and the Location header are returned. This parameter is the value of the Location header that starts with http:// or https://, such as, http://www.example.com.

    Blacklist:

    Specifies the redirect URL. If the referer information in the request matches the blacklist, the 403 status code is not returned after the request is blocked. Instead, the 302 status code and the Location header are returned. This parameter is the value of the Location header that starts with http:// or https://, such as, http://www.example.com.

    Advanced SettingsAllow resource URL access from browsersIf you select this check box, requests that have empty referer values or do not contain the referer field, such as requests that are sent from browsers, can access the requested resource regardless of the referer whitelist or blacklist.
    Exact Match
    Whitelist: Specifies whether to enable exact match for domain names in the whitelist.
    • If Exact Match is selected:
      • Exact match is supported.

        If you add example.com to the whitelist, example.com is matched.

        If you add a*b.example.com to the whitelist, a<Any characters>b.example.com is matched.

      • Suffix match is not supported.
    • If Exact Match is not selected:
      • Exact match is not supported.
      • Suffix match is supported.

        If you add example.com to the whitelist, example.com and <Any characters>.example.com are matched.

        If you add a*b.example.com to the whitelist, a<Any characters>b.example.com and <Any characters>.a<Any characters>b.example.com are matched.

    Blacklist: Specifies whether to enable exact match for domain names in the blacklist.
    • If Exact Match is selected:
      • Exact match is supported.

        If you add example.com to the blacklist, example.com is matched.

        If you add a*b.example.com to the blacklist, a<Any characters>b.example.com is matched.

      • Suffix match is not supported.
    • If Exact Match is not selected:
      • Exact match is not supported.
      • Suffix match is supported.

        If you add .example.com to the blacklist, example.com and <Any characters>.example.com are matched.

        If you add a*b.example.com to the whitelist, a<Any characters>b.example.com and <Any characters>.a<Any characters>b.example.com are matched.

    Ignore Scheme

    If either referer blacklist or whitelist is configured:

    • After you select Ignore Scheme, if the referer in the request does not have an HTTP or HTTPS header, the referer is still considered valid. For example, referers in the format of www.example.com are valid.
    • When Ignore Scheme is not selected, if the referer in the request does not have an HTTP or HTTPS header, the referer is considered invalid. For example, referers in the format of www.example.com are invalid. Only referers in the format of https://www.*.com or http://www.*.com are valid.
  7. Click OK.