You can configure a Referer whitelist for a bucket to prevent unauthorized access and associated unexpected fees.

Background information

The hotlink protection feature allows you to configure a Referer whitelist for a bucket. This way, only requests from domain names that are included in the Referer whitelist can access data in the bucket. Object Storage Service (OSS) allows you to configure Referer whitelists based on the Referer header field in HTTP and HTTPS requests.

After hotlink protection is configured for a bucket, OSS verifies requests to objects in the bucket only when the requests are initiated by using signed URLs or from anonymous users. Requests that contain the Authorization field in the header are not verified.

For more information about the API operation that you can call to configure a Referer whitelist for a bucket, see PutBucketReferer. For more information about hotlink protection, see Hotlink protection.

Procedure

  1. Log on to the OSS console.
  2. In the left-side navigation pane, click Buckets. On the Buckets page, click the name of the bucket that you want to manage.
  3. In the left-side navigation pane, choose Access Control > Hotlink Protection.
  4. In the Hotlink Protection section, click Configure.
    • Enter domain names or IP addresses in the Referer Whitelist field. Separate multiple Referers with line feeds. You can use asterisks (*) and question marks (?) as wildcards. Examples:
      • If you add www.aliyun.com to the Referer whitelist, requests sent from URLs that start with www.aliyun.com, such as www.aliyun.com/123 and www.aliyun.com.cn are allowed.
      • An asterisk (*) can be used as a wildcard for zero or multiple characters. If you add *www.aliyun.com/ to the Referer whitelist, requests sent from http://www.aliyun.com/ and https://www.aliyun.com/ are allowed. For example, if you add *.aliyun.com to the Referer whitelist, requests sent from URLs such as help.aliyun.com and www.aliyun.com are allowed.
      • A question mark (?) can be used as a wildcard for a single character.
      • You can add domain names or IP addresses that include a port number, such as www.example.com:8080 and 10.10.10.10:8080, to the Referer whitelist.
    • Select whether to turn on Allow Empty Referer to allow requests in which the Referer field is empty.

      An HTTP or HTTPS request that contains an empty Referer indicates that the request does not contain the Referer field or that the value of the Referer field is empty.

      If you turn off Allow Empty Referer, only HTTP or HTTPS requests that include an allowed Referer field can access the objects in the bucket.

      Note By default, if you preview an MP4 object by using a bucket domain name such as bucketname.oss-cn-zhangjiakou.aliyuncs.com, the browser simultaneously sends two requests. One request contains the Referer field, and the other does not. Therefore, you must add the bucket domain name to the Referer whitelist and allow empty Referer fields. To preview a non-MP4 object by using the bucket domain name, you need to only allow empty Referer fields.
    • Select whether to turn on Truncate QueryString to allow query strings to be truncated.
  5. Click Save.

References

  • To set conditions on users who can access part of or all of the resources in your bucket and who can perform certain operations on the resources, we recommend that you configure bucket policies. For example, you can configure a bucket policy to allow only users from specified IP addresses to access a specified bucket. For more information about how to configure bucket policies, see Configure bucket policies to authorize other users to access OSS resources.
  • For more information about how to troubleshoot hotlink protection errors, see Referer.