The URL authentication feature can be used to protect origin server resources from unauthorized downloads and access. You can use the Referer hotlink protection feature to configure a referer blacklist or whitelist. This allows you to prevent partial hotlinking issues. The Referer content can be forged. Therefore, the hotlink protection feature is not a comprehensive security measure to protect your origin resources. To solve this issue, you can also use URL authentication to protect your origin resources.

Background information

DCDN nodes work with origin servers to implement URL authentication to protect resources on the origin servers in a more secure and reliable manner.
  • The DCDN nodes encrypt URLs that include authentication information.
  • Users send requests to the DCDN nodes by using encrypted URLs.
  • The DCDN nodes verify the authentication information in the encrypted URLs to determine whether the requests are valid. If the requests are valid, the DCDN nodes return successful responses. If the requests are invalid, the DCDN nodes reject the requests.

For more information about the sample Python code block for URL authentication, see URL signing examples.


  1. Log on to the DCDN console.
  2. In the left-side navigation pane, click Domain Names.
  3. On the Domain Names page, find the domain name that you want to manage, and click Configure in the Actions column.
  4. In the left-side navigation pane on the details page of the specified domain name, click Access Control.
  5. Click the URL Authentication tab.
  6. Turn on URL Authentication Setting.
  7. In the URL Authentication dialog box, configure URL authentication.
    URL authentication
    Parameter Description
    Authentication Type
    DCDN supports three authentication types. You can select an authentication type based on your workloads to protect resources on origin servers. The following authentication types are supported:
    Note If URL authentication fails, a 403 error is returned.
    • MD5 calculation errors

      Example: X-Tengine-Error:denied by req auth: invalid md5hash=de7bfdc915ced05e17380a149bd760be

    • Time-related errors

      Example: X-Tengine-Error:denied by req auth: expired timestamp=1439469547

    Primary Key Specify the primary key for the selected authentication type.
    Secondary Key Specify the secondary key for the selected authentication type.
  8. Click OK.

What to do next

To generate an encrypted URL, perform the following steps:
  1. In the Generate Encrypted URL for Testing section, set the Original URL parameter and specify other authentication information. Generate an encrypted URL
    Parameter Description
    Original URL Enter a complete URL, for example,
    Authentication Type
    Select an authentication type based on your business requirements.
    Authentication Key Set the authentication key based on your business requirements. The value of the Authentication Key parameter is the value of the Primary Key or Secondary Key parameter that you specify in the URL Authentication Setting section.
    Validity Period Set the TTL value for the encrypted URL. Unit: seconds. Example: 1,800.
  2. Click Generate to obtain Authentication URL and Timestamp.