All Products
Search

This Product

    Edge Security Acceleration:Configure a Referer whitelist or blacklist for hotlink protection

    Document Center

    Edge Security Acceleration:Configure a Referer whitelist or blacklist for hotlink protection

    Last Updated:Mar 31, 2026

    A Referer blacklist or whitelist controls access based on the Referer field in HTTP request headers. This feature prevents hotlinking and unauthorized use of your resources. Once configured, and DCDN allow or deny requests based on the Referer information.

    Important

    • The Referer blacklist or whitelist feature for Alibaba Cloud and DCDN is disabled by default. This means any website can access your resources.

    • A Referer blacklist or whitelist is one of several ways to prevent traffic theft. For more protection methods, see Best practices for preventing traffic theft.

    • When you add a domain name to a Referer blacklist or whitelist, and DCDN by default apply the rule to both the domain itself and its subdomains. For example, if you enter aliyundoc.com, the rule applies to both the domain and subdomains like *.aliyundoc.com.

    Use cases

    A Referer blacklist or whitelist is primarily used to protect your website resources from unauthorized access and hotlinking. Common use cases include:

    • Copyright protection: Use a Referer blacklist or whitelist to restrict access to authorized websites and protect copyrighted content.

    • Hotlink protection: A Referer blacklist or whitelist ensures that your resources can be used only on specific websites, which prevents hotlinking.

    • Improved website security: By allowing only specific websites to access your resources, you can prevent malicious hotlinking, unauthorized access, and theft of sensitive information.

    • Traffic source control: Controlling traffic sources by restricting access to specific referring websites enhances your website's stability and security.

    You can use the Referer blacklist or whitelist feature to protect your resources, improve security, and control traffic.

    How it works

    The POP checks the Referer field of each incoming request. If the Referer violates the configured rules (for example, it is on a blacklist or not on a whitelist), the POP denies the request. This practice saves bandwidth and server resources. and DCDN process requests according to the following rules:

    • If the Referer header of a request matches an entry in the blacklist or does not match any entry in the whitelist, and DCDN deny the request.

    • If the Referer header of a request matches an entry in the whitelist, and DCDN allow the request.

    image

    Procedure

    1. Log on to the DCDN console.

    2. In the left-side navigation pane, click Domain Names.

    3. On the Domain Names page, find the domain name that you want to manage and click Configure.

    4. In the left-side navigation tree of the domain name, click Access Control.

    5. On the Hotlink Protection tab, turn on Hotlink Protection.

    6. Select Blacklist or Whitelist based on your needs.

      配置Refer防盗链

      Parameter

      Description

      Type

      • Blacklist

        Requests from domain names in the blacklist are denied.

      • Whitelist

        Only requests from domain names in the whitelist can access your resources.

      Note

      The blacklist and whitelist are mutually exclusive. You can configure only one at a time.

      Rules

      • You can add multiple domain names to the list. Enter one domain name per line with no leading spaces.

      • You can use asterisks (*) as wildcards. For example, adding *.developer.aliyundoc.com matches image.developer.aliyundoc.com and video.developer.aliyundoc.com.

      Note

      Rules content cannot exceed 60 KB.

      Redirect URL

      Blocked requests receive an HTTP 302 redirect to this URL. The URL must start with http:// or https://, for example, http://www.example.com.

      Advanced Settings

      Allow resource URL access from browsers

      Disabled by default. When enabled, requests with an empty Referer header can access DCDN resources regardless of whether you configure a whitelist or blacklist. An empty Referer header occurs when:

      • The request has no Referer header.

      • The request has a Referer header with an empty value.

      Exact Match

      The check box is not selected by default. If you select this check box, subdomains cannot be matched. For example, if you add example.com to the list, only example.com is matched — subdomains are excluded.

      Ignore Scheme

      • When disabled, the Referer value must include an http:// or https:// scheme.

      • When enabled, the Referer value is matched without requiring an http:// or https:// scheme.

    7. Click OK.

    Matching logic

    The following table shows how DCDN matches the Referer header against your list. If the Referer matches a blacklist entry or fails to match any whitelist entry, DCDN rejects the request with HTTP 403.

    Configured domain name

    Referer header value in a request

    Matched

    Description

    • www.example.com

    • *.example.com

    http://www.example.com/img.jpg

    Yes

    The Referer domain matches a domain in the list.

    http://www.example.com:80/img.jpg

    Yes

    www.example.com

    No

    The Referer value does not include an HTTP or HTTPS scheme.

    http://aaa.example.com

    Yes

    The wildcard *.example.com matches subdomains at any depth.

    http://aaa.bbb.example.com

    Yes

    http://example.com

    No

    A wildcard entry *.example.com matches subdomains but not the root domain itself.

    http://www.example.net

    No rules matched

    The domain is not in the list, so the default allow rule applies.

    FAQ

    Referer header without scheme

    Normally, the Referer in a user request should include an HTTP or HTTPS scheme. However, in some cases, the scheme might be missing.

    A common reason is when a user navigates from an insecure site (HTTP) to a secure site (HTTPS). Browsers may modify or strip the Referer field based on security policies such as Referrer-Policy to protect user data. In such cases, the Referer field might only contain the domain name without the scheme.

    Additionally, some browsers or proxy servers might automatically remove the Referer field in certain situations, such as in private browsing mode or when accessing a website through an anonymous proxy.

    Handling empty Referer headers

    An empty Referer means the Referer request header is missing from an HTTP request. Normally, a Referer header contains a full URI, including the scheme (such as http or https), hostname, and potentially the path and query string. An empty Referer can occur for several reasons:

    • Direct access: When a user types a URL directly into the browser's address bar, uses a bookmark, or opens a new blank tab, there is no referring page, so the Referer header is empty.

    • User privacy: Users or their software (such as browser extensions or privacy modes) may intentionally remove the Referer header for privacy reasons.

    • Security protocols: When navigating from an HTTPS page to an HTTP page, browsers often do not send the Referer header to prevent sensitive information from being leaked.

    • Client policies: Some websites or applications may control the sending of the Referer header for security reasons by setting a <meta> tag or an HTTP header like Referrer-Policy.

    • Cross-origin requests: Some cross-origin requests may not include a Referer header due to browser security policies.

    How you handle requests with an empty Referer depends on your application's specific use case and security requirements. Here are some suggestions:

    • Default policy: If your service does not rely on Referer information to make decisions, you can allow requests with an empty Referer.

    • Allow access: To allow all requests with an empty Referer, you can select the Allow resource URL access from browsers option. and DCDN POPs will then permit access to the resource.