Hotlink protection requires you to configure a referer whitelist or blacklist to identify and filter users. This helps you restrict access to Alibaba Cloud CDN nodes and improve service security. This topic describes how to configure referer-based hotlink protection.
Background information
Hotlink protection uses an HTTP referer header to track request sources and identify requests.
Hotlink protection provides a referer whitelist or blacklist. After a user sends a request to a CDN node, the node authenticates the user identity based on the preset referer whitelist or blacklist. If the request passes the authentication, the user can have access to the requested resources. If the request fails the authentication, HTTP status code 403 is returned.
- Hotlink protection is optional. By default, hotlink protection is disabled.
- The blacklist and whitelist are mutually exclusive and cannot be enabled at the same time.
- After you configure hotlink protection, wildcard domain names are automatically supported.
For example, if you enter
example.com
, the domain name that takes effect is*.example.com
. Hotlink protection takes effect on all domains whose names match *.aexamplecom. - You can specify whether to allow requests with an empty referer header to have access
to resources. If you allow the access, users can have access to resources by entering
the resource URL in the address bar of a browser.
- Generally, mobile terminals cannot obtain the referer header. By default, requests with an empty referer header are allowed. If you do not allow requests with an empty referer header, you can use ApsaraVideo Player SDK to configure the referer whitelist or blacklist on mobile terminals.
- If you do not allow requests with an empty referer header, you must enable HTTPS secure acceleration and forcible redirect, and set the Redirect Type parameter to HTTP > HTTPS. Some browsers remove the referer header when they process HTTPS requests for HTTP resources. This causes access failures.