Object Storage Service (OSS) provides the source image protection feature to protect your images from being used by unauthorized anonymous requesters. After you enable source image protection for your bucket, anonymous requesters can access images in the bucket only by adding style parameters in the requests or using signed URLs.

Background information

You can use one of the following methods to access images that have the source image protection feature enabled:
  • Use the file URL that contains the style parameters in the format of https://BucketName.Endpoint/ObjectName?x-oss-process=style/StyleName.
  • Use the file URL that contains a signature in the format of https://BucketName.Endpoint/ObjectName?Signature.


  1. Log on to the OSS console.
  2. In the left-side navigation pane, click Buckets. On the Buckets page, click the bucket for which you want to configure source image protection.
  3. In the left-side navigation pane, choose Data Processing > Image Processing (IMG). Then, click Access Settings.
  4. In the Access Settings panel, turn on Protect Source Image File and configure the parameters described in the following table.
    Parameter Description
    Source Image Protection Rule
    Notice Source image protection is in public preview in the China (Shanghai) region.To apply for public preview, contact technical support.
    You can configure up to 10 rules. Each rule consists of a prefix and a suffix.

    When you configure the rules, take note of the following items:

    • You can configure the prefix and suffix separately or at the same time. If you configure both the prefix and suffix, only images whose names contain both the specified prefix and suffix are protected by the rule.
      Note If you want to protect images in the image/ directory, set the prefix to image/.
    • If multiple rules are configured, images whose names match one of the rules are protected.
    • If you specify both source image protection rules and protected file extensions, images whose names match one of the specified values are protected.
    • If you want the prefix and suffix specified in the rule to be case-insensitive, select Case Insensitive.
    Protected File Extensions Select a file suffix from the Protected File Extensions drop-down list. All objects in the bucket that match the specified suffix are protected.
    Delimiters The following delimiters are supported: hyphens (-), underscores (_), forward slashes (/), and exclamation points (!). After you set the delimiters, you can use the delimiters to replace style parameters. This way, IMG URLs are simplified.

    For example, assume that you access an image by using an IMG URL that contains style parameters, and the URL is https://BucketName.Endpoint/ObjectName?x-oss-process=style/StyleName. If you set the delimiters to exclamation points (!), you can simplify the URL as http(s)://BucketName.Endpoint/ObjectName!StyleName.

  5. Click OK.


  • Q: Why is HTTP status code 403 returned when I directly access a protected image, whereas HTTP status code 200 is returned when I access the image over Content Delivery Network (CDN)?

    A: One possible cause is that the request is redirected to access a private bucket over CDN. Source image protection is applicable only to objects that are accessed by anonymous users.

  • Q: How can my source image still be accessed by using a signed URL when source image protection is enabled for the image?

    A: Source image protection is applicable only to objects that are accessed by anonymous users. Access by signed URLs is not anonymous. Therefore, the source image can be accessed by using a signed URL even if you enable source image protection.