All Products
Document Center

How to verify whether the Referer hotlink protection of OSS takes effect

Last Updated: May 19, 2022


To prevent data stored in the Object Storage Service (OSS) from being stolen by others and incur additional fees, the Referer whitelist is set in the hotlinking protection feature of the OSS console. Only domain names in the whitelist can access resources in the bucket. After the configuration is complete, how to verify whether the Referer hotlinking protection of OSS takes effect.

Background information

For more information, see How to query the access and operation records of objects during access Object Storage Service (OSS), view the access records of OSS, and analyze whether hotlink protection takes effect by using the access records. You can also perform the following operations to test whether the hotlinking protection set by the curl command takes effect.


For more information about how to configure hotlink protection in the OSS console, see Configure hotlink protection. The parameters are as follows:

  • Referer whitelist. Only the specified domain name is allowed to access OSS resources. Its domain name is
  • Set Referer to not be empty.
    • An HTTP or HTTPS request that contains an empty Referer indicates that the request does not contain the Referer field or the value of the Referer field is empty.
    • If you do not allow empty Referers fields, only HTTP or HTTPS requests which include an allowed Referer field can access the objects in the bucket.
    • By default, if you preview an MP4 object by using a bucket domain name such as, the browser sends a request that contains the Referer field and a request that does not contain the Referer field at the same time. Therefore, you must add the bucket domain name to the Referer whitelist and allow empty Referer fields. To preview a non-MP4 object by using the bucket domain name, you need only to allow empty Referer fields.

  • Create a file named testoss.txt in the bucket.

For more information about hotlinking protection, see the "Hotlinking protection settings" section in OSS Developer Guide.

Test method

Check the Referer of the header in the browser to check whether the configuration is correct. For example, press the F12 key in the Chrome browser to open the Developer tool, view the Referer carried by a specific request in the Network, and check whether it matches the Referer set in the corresponding OSS. Three scenarios for testing with curl commands in Linux operating systems are as follows:

Scenario 1

Perform the following operations to access through the curl command without adding parameters, which means that the URL is opened directly through the browser. If Referer is not allowed to be empty, the system reports an error. Confirm that the error is AccessDenied, proving that the setting that does not allow Referer to be empty takes effect. For more information about AccessDenied errors, see Troubleshoot common errors related to OSS permissions.


The system error is similar to the following.

Scenario 2

Perform the following operations to pass the specified whitelist to the access address by adding the parameter -e by the curl command, which represents the request passed by the website. No error is reported to prove that the whitelist Referer settings take effect.

curl -e

If an output similar to the following one is returned, one of the solutions is applicable to your system kernel version:

Scenario 3

Perform the following operations to pass the incorrect Referer to the access address through the curl command plus parameter -e. Because the is not in the whitelist, the system reports an error, proving that the whitelist Referer setting takes effect.

curl -e

The system error is similar to the following.


Applicable scope

  • Object Storage Service (OSS)