Hotlink protection requires you to configure a referer whitelist or blacklist to identify and filter users. This helps you restrict access to Alibaba Cloud CDN nodes and improve service security. This topic describes how to configure referer-based hotlink protection.

Background information

Hotlink protection uses an HTTP referer header to track request sources and identify requests.

Hotlink protection provides a referer whitelist or blacklist. After a user sends a request to a CDN node, the node authenticates the user identity based on the preset referer whitelist or blacklist. If the request passes the authentication, the user can have access to the requested resources. If the request fails the authentication, HTTP status code 403 is returned.

  • Hotlink protection is optional. By default, hotlink protection is disabled.
  • The blacklist and whitelist are mutually exclusive and cannot be enabled at the same time.
  • After you configure hotlink protection, wildcard domain names are automatically supported. For example, if you enter, the domain name that takes effect is * Hotlink protection takes effect on all domains whose names match *.aexamplecom.
  • You can specify whether to allow requests with an empty referer header to have access to resources. If you allow the access, users can have access to resources by entering the resource URL in the address bar of a browser.
    • Generally, mobile terminals cannot obtain the referer header. By default, requests with an empty referer header are allowed. If you do not allow requests with an empty referer header, you can use ApsaraVideo Player SDK to configure the referer whitelist or blacklist on mobile terminals.
    • If you do not allow requests with an empty referer header, you must enable HTTPS secure acceleration and forcible redirect, and set the Redirect Type parameter to HTTP > HTTPS. Some browsers remove the referer header when they process HTTPS requests for HTTP resources. This causes access failures.


  1. Log on to the ApsaraVideo Live console.
  2. In the left-side navigation pane, click Domains to go to the Domain Management page.
  3. Find the streaming domain that you want to configure and click Domain Settings.
  4. Choose Streaming Management > Access Control.
  5. Turn on Hotlink Protection.
  6. Set the Type and Referrers parameters and click OK.
    Configure hotlink protection
    The following table describes the types of referer-based hotlink protection.
    BlacklistAll requests that are sent from domain names in the blacklist are denied.
    WhitelistOnly requests that are sent from domain names in the whitelist are allowed. Requests from other domain names are denied.