Prevent OSS hotlinking with Referer whitelists and blacklists - Object Storage Service

How it works

When a browser requests an OSS file, the HTTP Referer header identifies the requesting page. OSS validates this Referer value to verify the request origin.

After hotlink protection is configured, OSS evaluates requests in this order:

Empty Referer check: OSS checks whether the Referer is empty. If empty, the following logic applies:
- If you allow requests with an empty Referer, the request is allowed.
- If you do not allow requests with an empty Referer and the whitelist is empty, the request is allowed.
- If you do not allow requests with an empty Referer and the whitelist is not empty, the request is denied.
If the Referer is not empty, the check proceeds to the next step.
Blacklist check: OSS checks whether the Referer matches any blacklist entry. A match results in immediate denial — the whitelist is not checked. Otherwise, processing continues.
Whitelist check: OSS checks whether the Referer matches any whitelist entry. A match allows the request; no match denies it.

Procedure

Go to the Buckets list and click the target bucket.

In the left navigation pane, choose Content Security > Hotlink Protection. Enable the Hotlink Protection option and configure the Referer rules as needed:

Referer Whitelist: Domains allowed to access your resources. Enter one per line.
Referer Blacklist: Domains denied access. Enter one per line. Blacklist takes priority over the whitelist.
Allow Empty Referer: Whether to allow requests without a Referer header, such as direct browser access.
Truncate QueryString: Whether to ignore the query string after ? in the URL during matching. Query string parsing rules.

Referer rules support wildcards:

Wildcard	Description	Example
`*`	Matches zero or more characters.	`*.example.com` matches `http://www.example.com` and `https://help.example.com`.
`?`	Matches one character.	`http://www.aliyun?.com` matches `http://www.aliyunc.com`.

Referer rules also support domains or IP addresses with ports, such as http://www.example.com:8080 and 10.10.10.10:8080.

Note

Matching is protocol-sensitive. A rule for http://www.aliyun.com does not match https://www.aliyun.com. Add entries for both HTTP and HTTPS.

Click Save to apply the settings.

Use cases

Allow access only from trusted websites

Allow only specified websites to access your OSS resources while permitting direct browser access.

Step 1: Obtain the Referer

Before configuring the rule, identify the Referer of requests to your OSS resources:

Use OSS real-time logs: Go to the Buckets list. On the target bucket's page, choose Logging > Real-time Log Query, and then find the referer field. A hyphen (-) indicates a request with an empty Referer.
Use browser developer tools: Press F12 to open the browser developer tools. In the Network panel, check the request's Referer header.

Step 2: Configure the Referer rule

Parameter	Value	Description
Referer Whitelist	`https://www.aliyun.com` `http://www.aliyun.com` `*.console.aliyun.com`	Add trusted domains for both HTTP and HTTPS. Include the console domain to keep management functions working.
Referer Blacklist	Leave empty	No sources to block.
Allow Empty Referer	Allow	Allows direct browser access and access from clients that omit the Referer.
Truncate QueryString	Allow	Ignores the URL query string for flexible matching.

Step 3: Verify the configuration

# Simulate a request from a whitelisted Referer (expected to succeed)
curl -e "http://www.aliyun.com" http://your-bucket-name.oss-cn-hangzhou.aliyuncs.com/demo.txt

# Simulate a request from a non-whitelisted Referer (expected to return AccessDenied)
curl -e "http://www.example.com" http://your-bucket-name.oss-cn-hangzhou.aliyuncs.com/demo.txt

# Simulate a request with an empty Referer (expected to succeed)
curl http://your-bucket-name.oss-cn-hangzhou.aliyuncs.com/demo.txt

Block malicious websites

Allow access from most sources but block specific malicious websites using a blacklist.

Step 1: Identify the Referer

Go to the Buckets list. On the target bucket's page, choose Logging > Real-time Log Query. Filter for abnormal traffic records and check the referer field to identify the malicious domain.

Step 2: Configure the Referer rule

Parameter	Value	Description
Referer Whitelist	`*`	Allows access from all sources.
Referer Blacklist	`*bad-site.example` `http://malicious-site.example` `https://malicious-site.example`	Add malicious domains. Use wildcards to block an entire domain and its subdomains.
Allow Empty Referer	Allow	Allows direct access and legitimate clients to function.
Truncate QueryString	Allow	Ignores the URL query string for flexible matching.

Step 3: Verify the configuration

# Simulate a request from a normal website (expected to succeed)
curl -e "http://www.example.com" http://your-bucket-name.oss-cn-hangzhou.aliyuncs.com/demo.txt

# Simulate a request from a blacklisted website (expected to return AccessDenied)
curl -e "http://bad-site.example" http://your-bucket-name.oss-cn-hangzhou.aliyuncs.com/demo.txt

# Simulate a request with an empty Referer (expected to succeed)
curl http://your-bucket-name.oss-cn-hangzhou.aliyuncs.com/demo.txt

Allow WeChat mini program access

WeChat mini programs use a fixed Referer format: https://servicewechat.com/{appid}/{version}/page-frame.html. Configure your rule to match this format.

Step 1: Identify the Referer format

The Referer format for WeChat mini programs is fixed and predictable, so you can configure it directly by using a wildcard. To confirm the exact format, go to the Buckets list and check the referer field in the Logging > Real-time Log Query section of your target bucket.

Step 2: Configure the Referer rule

Parameter	Value	Description
Referer Whitelist	`servicewechat.com` `.console.aliyun.com`	Wildcard covers all mini program AppIDs and versions. Include the console domain to keep management functions working.
Referer Blacklist	Leave empty	No sources to block.
Allow Empty Referer	Allow	Some mini programs omit the Referer. Allowing empty Referers ensures compatibility.
Truncate QueryString	Allow	Ignores the URL query string for flexible matching.

Step 3: Verify the configuration

# Simulate a request from a WeChat mini program (expected to succeed)
curl -e "https://servicewechat.com/wx1234567890abcdef/1/page-frame.html" http://your-bucket-name.oss-cn-hangzhou.aliyuncs.com/demo.txt

# Simulate a request from another source (expected to return AccessDenied)
curl -e "http://www.example.com" http://your-bucket-name.oss-cn-hangzhou.aliyuncs.com/demo.txt

# Simulate a request with an empty Referer (expected to succeed)
curl http://your-bucket-name.oss-cn-hangzhou.aliyuncs.com/demo.txt

Allow OSS console access

After enabling hotlink protection, add the OSS console domain to the whitelist to keep management functions working.

Step 1: Configure the rule

Parameter	Value	Description
Referer Whitelist	`*.console.aliyun.com`	Wildcard covers all OSS console subdomains, ensuring previews work across regions.
Referer Blacklist	Leave empty	No sources to block.
Allow Empty Referer	Allow	Allows direct access and console previews to work.
Truncate QueryString	Allow	Ignores the URL query string for flexible matching.

Step 2: Verify the configuration

# Simulate access from the console (expected to succeed)
curl -e "https://oss.console.alibabacloud.com" http://your-bucket-name.oss-cn-hangzhou.aliyuncs.com/demo.txt

You can also verify by previewing and downloading a file from the OSS console.

Block direct access via URL

Disallow empty Referers to require all requests to originate from a specified website, preventing direct URL access.

Important

This blocks all direct access, including bookmarks and email links. Some browser plugins, download managers, and video players may not work because they often omit the Referer.

Step 1: Determine the Referer

Identify all domain and protocol combinations for your website to cover all legitimate access scenarios.

Step 2: Configure the rule

Parameter	Value	Description
Referer Whitelist	`https://www.example.com` `http://www.example.com` `*.console.aliyun.com`	Your website domain. Add all required domain and protocol combinations. Include the console domain to keep management functions working.
Referer Blacklist	Leave empty	No sources to block.
Allow Empty Referer	No	Blocks direct access from the browser address bar.
Truncate QueryString	Allow	Ignores the URL query string for flexible matching.

Step 3: Verify the configuration

# Simulate a request from the website (expected to succeed)
curl -e "http://www.example.com" http://your-bucket-name.oss-cn-hangzhou.aliyuncs.com/demo.txt

# Simulate direct access (expected to return AccessDenied)
curl http://your-bucket-name.oss-cn-hangzhou.aliyuncs.com/demo.txt

# Simulate a request from another website (expected to return AccessDenied)
curl -e "http://other.example" http://your-bucket-name.oss-cn-hangzhou.aliyuncs.com/demo.txt

Query string parsing rules

If you disable the Truncate query string option, OSS parses the query string as follows:

Rule	Description
The query string is not URL-decoded.	For a request URL of `http://www.example.com/?job_id=task$01`, a whitelist or blacklist rule set to `http://www.example.com/?job_id=task%2401` will not match.
Parameters are case-insensitive.	For a request URL of `http://www.example.com/?ACTION=NOP`, a whitelist or blacklist rule set to `http://www.example.com/?action=nop` will match.
The order of parameters is significant.	For a request URL of `http://example.com/?b=c&a=b`, a whitelist or blacklist rule set to `http://example.com/?a=b&b=c` will not match.

Production considerations

CDN cache bypass risk: Hotlinking requests may hit a CDN edge node and be served from cache, bypassing OSS hotlink protection. To prevent this, also configure the same Referer hotlink protection rules on your CDN.
Impact of browser Referrer-Policy: Browsers support the Referrer-Policy header, which controls how much Referer information is sent in cross-origin requests. Policies like no-referrer cause the browser to omit the Referer, and OSS treats these as empty-Referer requests. Consider this when configuring rules.
Video playback compatibility: The browser's native video tag sends an initial request with a Referer and subsequent media data requests with an empty Referer. To ensure video playback works, you must allow access for requests with an empty Referer.

Quotas and limits

anonymous access or a signed URL. API calls signed with an AccessKey (requests that include an Authorization header) are not restricted by hotlink protection rules.
List size limit: The combined Referer whitelist and blacklist cannot exceed 20 KB.
Scope: Hotlink protection applies at the bucket level. Per-object or per-directory rules are not supported.

FAQ

Why is hotlink protection not working?

Check the following in order:

Browser environment check: Certain environments, such as WeChat mini programs or iframes, may modify the Referer. Use OSS real-time logs or browser developer tools to identify the actual Referer, then adjust your rule.
Referer format: Verify that your Referer entry includes the protocol prefix (http:// or https://). Omitting it causes the rule to fail.
CDN cache bypass: If your CDN lacks hotlink protection, requests may bypass OSS validation. Configure matching hotlink protection rules on your CDN.

Resolving access denied errors in WeChat mini programs

WeChat mini programs use a fixed Referer starting with https://servicewechat.com/. Add *servicewechat.com to your whitelist to allow all mini program access.

Resolving access denied errors for direct access

Direct browser access sends an empty Referer. If empty Referers are disallowed, access is denied. To allow direct access, change the Allow Empty Referer option in your hotlink protection settings to Allow.

Resolving the InlineDataTooLarge error

The combined Referer whitelist and blacklist exceeds the 20 KB limit. Use wildcards to consolidate rules or remove unnecessary entries.