This topic describes how to use hotlink protection.

To prevent your data stored in Object Storage Service (OSS) from unauthorized access, you can configure a Referer whitelist for your bucket by specifying the following parameters:
  • Referer Whitelist: specifies that only specified domain names are allowed to access your resources.
  • Allow Empty Referer: determines whether requests that contain an empty Referer field are allowed. If you specify that an empty Referer field is not allowed, only HTTP and HTTPS requests that contain an allowed Referer field can access your OSS resources.

For more information about hotlink protection, see Hotlink protection.

Configure a Referer whitelist for a bucket

The following code provides an example on how to configure a Referer whitelist for a bucket:

package main

import (
    "fmt"
    "os"
    "github.com/aliyun/aliyun-oss-go-sdk/oss"
)

func main() {
    // Create an OSSClient instance. 
    // Specify the endpoint of the region in which the bucket is located. For example, if the bucket is located in the China (Hangzhou) region, set the endpoint to https://oss-cn-hangzhou.aliyuncs.com. Specify your actual endpoint. 
    // The AccessKey pair of an Alibaba Cloud account has permissions on all API operations. Using these credentials to perform operations in Object Storage Service (OSS) is a high-risk operation. We recommend that you use a RAM user to call API operations or perform routine O&M. To create a RAM user, log on to the RAM console. 
    client, err := oss.New("yourEndpoint", "yourAccessKeyId", "yourAccessKeySecret")
    if err!=nil{
        fmt.Println("Error:", err)
        os.Exit(-1)
    }
    // Set yourBucketName to the name of your bucket. 
    bucketName := "yourBucketName"

    // Add Referers to the Referer whitelist and specify that empty Referer fields are not allowed. You can use an asterisk (*) or a question mark (?) as a wildcard to set the Referer parameter. 
    referers := []string{"http://www.aliyun.com",
                         "http://www.???.aliyuncs.com",
                         "http://www.*.com"}
    err = client.SetBucketReferer(bucketName, referers, false)
    if err!=nil{
        fmt.Println("Error:", err)
        os.Exit(-1)
    }
}

Query a Referer whitelist of a bucket

The following code provides an example on how to query a Referer whitelist of a bucket:

package main

import (
    "fmt"
    "os"
    "github.com/aliyun/aliyun-oss-go-sdk/oss"
)

func main() {
    // Create an OSSClient instance. 
    // Specify the endpoint of the region in which the bucket is located. For example, if the bucket is located in the China (Hangzhou) region, set the endpoint to https://oss-cn-hangzhou.aliyuncs.com. Specify your actual endpoint. 
    // The AccessKey pair of an Alibaba Cloud account has permissions on all API operations. Using these credentials to perform operations in OSS is a high-risk operation. We recommend that you use a RAM user to call API operations or perform routine O&M. To create a RAM user, log on to the RAM console. 
    client, err := oss.New("yourEndpoint", "yourAccessKeyId", "yourAccessKeySecret")
    if err!=nil{
        fmt.Println("Error:", err)
        os.Exit(-1)
    }

    // Set yourBucketName to the name of your bucket. 
    bucketName := "yourBucketName"

    // Query the Referer whitelist of the bucket. 
    refRes, err := client.GetBucketReferer(bucketName)
    if err!=nil{
        fmt.Println("Error:", err)
        os.Exit(-1)
    }
    fmt.Println("Referers: ", refRes.RefererList)
    fmt.Println("AllowEmptyReferer: ", refRes.AllowEmptyReferer)
}

Clear a Referer whitelist of a bucket

The following code provides an example on how to clear a Referer whitelist of a bucket:

package main

import (
    "fmt"
    "os"
    "github.com/aliyun/aliyun-oss-go-sdk/oss"
)

func main() {
    // Create an OSSClient instance. 
    // Specify the endpoint of the region in which the bucket is located. For example, if the bucket is located in the China (Hangzhou) region, set the endpoint to https://oss-cn-hangzhou.aliyuncs.com. Specify your actual endpoint. 
    // The AccessKey pair of an Alibaba Cloud account has permissions on all API operations. Using these credentials to perform operations in OSS is a high-risk operation. We recommend that you use a RAM user to call API operations or perform routine O&M. To create a RAM user, log on to the RAM console. 
    client, err := oss.New("yourEndpoint", "yourAccessKeyId", "yourAccessKeySecret")
    if err!=nil{
        fmt.Println("Error:", err)
        os.Exit(-1)
    }

    // Set yourBucketName to the name of your bucket. 
    bucketName := "yourBucketName"

    // Clear the Referer whitelist of the bucket. The Referer whitelist of the bucket cannot be cleared directly. To delete the Referer whitelist, you must create a rule that allows empty Referer fields to replace the existing rule. 
    err = client.SetBucketReferer(bucketName, []string{}, true)
    if err!=nil{
        fmt.Println("Error:", err)
        os.Exit(-1)
    }
}

References

  • For the complete sample code that is used to configure a Referer whitelist, visit GitHub.
  • For more information about the API operation that you can call to configure a Referer whitelist for a bucket, see PutBucketReferer.
  • For more information about the API operation that you can call to query a Referer whitelist of a bucket, see GetBucketReferer.