Accessing an image URL stored in OSS returns a 403 status code. The cause is one of two things: the bucket access control list (ACL) is set to private, or hotlink protection is blocking the request.
Check bucket permissions
A private bucket requires authenticated requests. Direct HTTP access without a signed URL or valid credentials returns 403.
Option 1: Use a signed URL. Generate a URL that includes a time-limited signature so the request authenticates automatically. See User signature authentication and OSS request process.
Option 2: Change the bucket ACL to public-read. This allows anyone to read objects without authentication. See Configure the ACL.
Check hotlink protection settings
When hotlink protection is enabled with a Referer whitelist and Allow Empty Referer is disabled, only requests that include an allowed Referer header are permitted. When you paste an image URL directly into a browser, the browser sends no Referer header — so the request is blocked with a 403.
To confirm this is your cause: open the browser network panel, find the image request, and verify that the request has no Referer header and your Referer whitelist does not include the current origin.
To fix: enable Allow Empty Referer in your hotlink protection settings. See OSS hotlink protection configurations and troubleshooting methods.
Still getting a 403?
If neither fix above resolves the issue, follow the full diagnosis guide: Access to OSS 403 status code troubleshooting methods.
Related topics
Applicable scope
OSS