Referer-based hotlink protection refers to access control based on the referer header. For example, you can configure a referer whitelist to allow only specified requests to access your resources or a referer blacklist to block specified requests. Referer-based hotlink protection identifies and filters user identities and protects your resources from unauthorized access. This topic describes how to configure a referer whitelist or blacklist to enable hotlink protection.

Background information

  • By default, this feature is disabled.
  • After you add a domain name to the referer whitelist or blacklist, the wildcard domain name that matches the domain name is automatically added to the whitelist or blacklist. For example, if you add to the whitelist or blacklist, the domain name that takes effect is * Hotlink protection takes effect on all domain names that match *

The referer header is a component of the header section in HTTP requests and contains information about the source address, including the protocol, domain name, and query string. Referer is used to identify the source of a request.

After you configure a referer whitelist or blacklist, Alibaba Cloud CDN allows or blocks requests based on user identities. If a request is authorized, Alibaba Cloud CDN returns the URL of the requested resource. Otherwise, Alibaba Cloud CDN returns the HTTP 403 status code.

Referer-based hotlink protection


  1. Log on to the Alibaba Cloud CDN console.
  2. In the left-side navigation pane, click Domain Names.
  3. On the Domain Names page, find the domain name that you want to manage and click Manage in the Actions column.
  4. In the left-side navigation pane of the domain name, click Access Control.
  5. On the Hotlink Protection tab, click Modify.
  6. Select Denylist or Allowlist based on your business requirements.
    Referer-based hotlink protection
    Parameter Description
    • Blacklist

      Requests from the domain names in the blacklist cannot access the current resource.

    • Whitelist

      Only the requests from the domain names in the whitelist are allowed to access the current resource.

    Note Blacklists and whitelists are mutually exclusive. You can configure only one type of list at a time.
    • You can add multiple domain names to the referer whitelist or blacklist. Separate domain names with carriage return characters.
    • You can use an asterisk (*) wildcard character to specify wildcard domain names. If you add * to the whitelist or blacklist, or can be matched.
    Note The content that you enter in the Rules field cannot exceed 60 KB.
    Allow resource URL access from browsers If you select this check box, requests that have empty referer values or do not contain the referer field, such as requests that are sent from browsers, can access the requested resource regardless of the referer whitelist or blacklist.
  7. Click OK.