By default, content distributed by CDN services is publicly available. Users can access the content through URLs. If you want to prevent your resources from hotlinking and unauthorized access, you can use Referer whitelists and blacklists, IP whitelists and blacklists, and URL signing to regulate access control. URL signing adds signature strings and timestamps to URLs to enhance access control. This topic describes how URL signing works, how to enable or disable URL signing, and how to verify the URL signing settings.
How URL signing works
- Origin server: The origin server signs URLs based on the URL signing rules, including authentication algorithms and cryptographic keys. Then, the origin server returns the signed URLs to clients.
- Client: The client initiates a request and sends the signed URL to CDN edge nodes for authentication.
- CDN edge nodes: The CDN edge nodes verify the authentication information, including the signature and timestamp, carried by the request.

- You must set URL signing rules, including authentication algorithms and cryptographic
keys, on your origin server.
For example,
http://DomainName/timestamp/md5hash/FileName
is a URL signed by the origin server. - When a client attempts to access a URL, the origin server signs the URL based on the signing rules, and then returns the signed URL to the client, as shown in Step 2 and Step 3 in the preceding figure.
- The client uses the signed URL to request resources from CDN edge nodes.
- The CDN edge nodes check the authentication information, including the signature string
and timestamp, carried by the request and determine whether the request is valid.
- If the request fails the authentication, it is rejected by the CDN edge nodes.
- If the request passes the authentication, the CDN edge nodes respond to it.
Note
- If the requested resource is not cached on CDN edge nodes, the nodes remove the authentication
parameters from the URL and restore the URL to the original version before the request
is redirected to the origin server. For example, the URL is restored to
http://DomainName/FileName
. Then, the original URL is used to generate a cache key or redirect the request to the origin server. - After a request passes the authentication, the special characters such as equal signs
(
=
) and plus signs (+
) in the URL are escaped.
- If the requested resource is not cached on CDN edge nodes, the nodes remove the authentication
parameters from the URL and restore the URL to the original version before the request
is redirected to the origin server. For example, the URL is restored to
Configure and enable URL signing
- Before you enable URL signing, make sure that you have set URL signing rules, including authentication algorithms and cryptographic keys on the origin server.
- The authentication logic on CDN edge nodes must be the same as that on the origin server.
Check the URL signing result
To ensure that the authentication logic is correctly implemented, we recommend that you run a test in the Alibaba Cloud CDN console to check whether URLs can be correctly signed.
Disable URL signing

- Log on to the Alibaba Cloud CDN console, navigate to the URL Signing section, and then click Modify. In the dialog box that appears, turn off URL signing.
- On the origin server, delete the URL signing settings.