You can configure a Referer whitelist for a bucket to prevent unauthorized access
and associated unexpected fees.
Background information
The hotlink protection feature allows you to configure a Referer whitelist for a bucket.
This way, only requests from domain names that are included in the Referer whitelist
can access data in the bucket. Object Storage Service (OSS) allows you to configure
Referer whitelists based on the Referer header field in HTTP and HTTPS requests.
After hotlink protection is configured for a bucket, OSS verifies requests to objects
in the bucket only when the requests are initiated by using signed URLs or from anonymous
users. Requests that contain the Authorization field in the header are not verified.
For more information about the API operation that you can call to configure a Referer
whitelist for a bucket, see PutBucketReferer. For more information about hotlink protection, see Hotlink protection.
Procedure
- Log on to the OSS console.
- In the left-side navigation pane, click Buckets. On the Buckets page, click the name of the bucket that you want to manage.
- In the left-side navigation pane, choose .
- In the Hotlink Protection section, click Configure.
- Enter domain names or IP addresses in the Referer Whitelist field. Separate multiple Referers with line feeds. You can use asterisks (*) and
question marks (?) as wildcards. Examples:
- If you add
www.aliyun.com
to the Referer whitelist, requests sent from URLs that start with www.aliyun.com, such as www.aliyun.com/123 and www.aliyun.com.cn are allowed.
- An asterisk (*) can be used as a wildcard for zero or multiple characters. If you
add
*www.aliyun.com/
to the Referer whitelist, requests sent from http://www.aliyun.com/ and https://www.aliyun.com/ are allowed. For example, if you add *.aliyun.com
to the Referer whitelist, requests sent from URLs such as help.aliyun.com and www.aliyun.com are allowed.
- A question mark (?) can be used as a wildcard for a single character.
- You can add domain names or IP addresses that include a port number, such as www.example.com:8080 and 10.10.10.10:8080, to the Referer whitelist.
- Select whether to turn on Allow Empty Referer to allow requests in which the Referer field is empty.
An HTTP or HTTPS request that contains an empty Referer indicates that the request
does not contain the Referer field or that the value of the Referer field is empty.
If you turn off Allow Empty Referer, only HTTP or HTTPS requests that include an allowed
Referer field can access the objects in the bucket.
Note By default, if you preview an MP4 object by using a bucket domain name such as bucketname.oss-cn-zhangjiakou.aliyuncs.com,
the browser simultaneously sends two requests. One request contains the Referer field,
and the other does not. Therefore, you must add the bucket domain name to the Referer
whitelist and allow empty Referer fields. To preview a non-MP4 object by using the
bucket domain name, you need to only allow empty Referer fields.
- Select whether to turn on Truncate QueryString to allow query strings to be truncated.
- Click Save.
References
- To set conditions on users who can access part of or all of the resources in your
bucket and who can perform certain operations on the resources, we recommend that
you configure bucket policies. For example, you can configure a bucket policy to allow
only users from specified IP addresses to access a specified bucket. For more information
about how to configure bucket policies, see Configure bucket policies to authorize other users to access OSS resources.
- For more information about how to troubleshoot hotlink protection errors, see Referer.