Object Storage Service (OSS) provides the source image protection feature to protect your images from being used by unauthorized anonymous requesters. After you enable source image protection for your bucket, anonymous requesters can access images in the bucket only by adding style parameters or signature information to the URLs.

Background information

You can use one of the following methods to access images in a bucket for which the source image protection feature is enabled:
  • Use the object URL that contains the style parameters in the format of https://BucketName.Endpoint/ObjectName?x-oss-process=style/StyleName.
  • Use the object URL that contains a signature in the format of https://BucketName.Endpoint/ObjectName?Signature.

Procedure

  1. Log on to the OSS console.
  2. In the left-side navigation pane, click Buckets. On the Buckets page, click the name of the desired bucket.
  3. In the left-side navigation tree, choose Data Processing > Image Processing (IMG).
  4. On the Image Processing (IMG) page, click Access Settings.
  5. In the Access Settings panel, turn on Protect Source Image File and configure the parameters described in the following table.
    Parameter Description
    Protect Source Image File You can configure up to 10 rules. A rule includes a prefix, a suffix, or both.

    When you configure the rules, take note of the following items:

    • You can include a prefix, a suffix, or both in a rule for source image protection. If you configure both the prefix and suffix, only images whose names contain both the specified prefix and suffix are protected by the rule.
      Note You can use a prefix to protect all objects in a directory. For example, to protect images in the image/ directory, set the prefix to image/.
    • If multiple rules are configured for the objects in a bucket, images whose names match one of the rules are protected.
    • If you specify both source image protection rules and protected file extensions, images whose names match one or more of the rules or contain the specified extension are protected.
    • If you want the prefix and suffix specified in the rule to be case-insensitive, select Case Insensitive.
    Protected File Extensions Select a file extension from the Protected File Extensions drop-down list. All objects in the bucket that match the specified extension are protected.
    Delimiters The following delimiters are supported: hyphens (-), underscores (_), forward slashes (/), and exclamation points (!). After you set the delimiters, you can use the delimiters to replace style parameters. This way, IMG URLs are simplified.

    For example, you use an IMG URL that contains style parameters to access the image, and the URL format is https://BucketName.Endpoint/ObjectName?x-oss-process=style/StyleName. If you specify exclamation points (!) as the delimiter, you can simplify the URL as http(s)://BucketName.Endpoint/ObjectName!StyleName.

  6. Click OK.

FAQ

  • Q: Why is HTTP status code 403 returned when I directly access a protected image, whereas HTTP status code 200 is returned when I access the image over Alibaba Cloud CDN?

    A: One possible cause is that the request is redirected to access a private bucket over CDN. Source image protection is applicable only to objects that are accessed by anonymous users.

  • Q: Why can my source image still be accessed by using a signed URL when source image protection is enabled for the image?

    A: Source image protection is applicable only to objects that are accessed by anonymous users. Access by using signed URLs is not anonymous. Therefore, the source image can be accessed by using a signed URL even if you enable source image protection.