Configure Referer-based hotlink protection for OSS using the C++ SDK - Object Storage Service

Use the OSS C++ SDK to configure hotlink protection for a bucket based on the Referer request header. Set a Referer whitelist or blacklist and control whether requests with an empty Referer are allowed. Unauthorized sites that hotlink your objects are blocked, reducing unnecessary egress traffic costs.

Prerequisites

Before you begin, ensure that you have:

An OSS bucket
The oss:PutBucketReferer permission to configure hotlink protection, or the oss:GetBucketReferer permission to query the configuration. For more information, see Attach a custom policy to a RAM user.
Read Hotlink protection to understand how Referer whitelist and blacklist rules work before applying them
The OSS_ACCESS_KEY_ID and OSS_ACCESS_KEY_SECRET environment variables set with valid credentials

The examples use the public endpoint for the China (Hangzhou) region. To access OSS from another Alibaba Cloud service in the same region, use the internal endpoint instead. For endpoint details, see Regions and endpoints. To create an OSSClient instance using a custom domain name or Security Token Service (STS), see Create an OSSClient instance.

Set hotlink protection

#include <alibabacloud/oss/OssClient.h>
using namespace AlibabaCloud::OSS;

int main(void)
{
    /* Replace with the endpoint for your bucket's region.
       Example for China (Hangzhou): https://oss-cn-hangzhou.aliyuncs.com */
    std::string Endpoint = "yourEndpoint";
    /* Replace with your bucket's region ID. Example: cn-hangzhou */
    std::string Region = "yourRegion";
    std::string BucketName = "examplebucket";

    InitializeSdk();

    ClientConfiguration conf;
    conf.signatureVersion = SignatureVersionType::V4;
    /* Credentials are read from OSS_ACCESS_KEY_ID and OSS_ACCESS_KEY_SECRET. */
    auto credentialsProvider = std::make_shared<EnvironmentVariableCredentialsProvider>();
    OssClient client(Endpoint, credentialsProvider, conf);
    client.SetRegion(Region);

    /* Add Referer entries to the whitelist and allow empty Referers. */
    SetBucketRefererRequest request(BucketName);
    request.addReferer("http://www.aliyun.com");
    request.addReferer("https://www.aliyun.com");
    /* request.addReferer("https://www.alibabacloud.com/help"); */
    /* request.addReferer("http://www.?.aliyuncs.com");         */
    request.setAllowEmptyReferer(true);

    auto outcome = client.SetBucketReferer(request);

    if (!outcome.isSuccess()) {
        std::cout << "SetBucketReferer fail"
                  << ", code: "      << outcome.error().Code()
                  << ", message: "   << outcome.error().Message()
                  << ", requestId: " << outcome.error().RequestId() << std::endl;
        return -1;
    }

    ShutdownSdk();
    return 0;
}

Get the hotlink protection configuration

#include <alibabacloud/oss/OssClient.h>
using namespace AlibabaCloud::OSS;

int main(void)
{
    std::string Endpoint = "yourEndpoint";
    std::string Region = "yourRegion";
    std::string BucketName = "examplebucket";

    InitializeSdk();

    ClientConfiguration conf;
    conf.signatureVersion = SignatureVersionType::V4;
    auto credentialsProvider = std::make_shared<EnvironmentVariableCredentialsProvider>();
    OssClient client(Endpoint, credentialsProvider, conf);
    client.SetRegion(Region);

    GetBucketRefererRequest request(BucketName);
    auto outcome = client.GetBucketReferer(request);

    if (outcome.isSuccess()) {
        std::cout << "GetBucketReferer success"
                  << ", AllowEmptyReferer: " << outcome.result().AllowEmptyReferer()
                  << ", Referer count: "     << outcome.result().RefererList().size() << std::endl;
    } else {
        std::cout << "GetBucketReferer fail"
                  << ", code: "      << outcome.error().Code()
                  << ", message: "   << outcome.error().Message()
                  << ", requestId: " << outcome.error().RequestId() << std::endl;
        return -1;
    }

    ShutdownSdk();
    return 0;
}

Delete hotlink protection rules

OSS has no dedicated delete operation for hotlink protection. To clear the rules, overwrite the existing configuration with an empty Referer list and setAllowEmptyReferer(true).

#include <alibabacloud/oss/OssClient.h>
using namespace AlibabaCloud::OSS;

int main(void)
{
    std::string Endpoint = "yourEndpoint";
    std::string Region = "yourRegion";
    std::string BucketName = "examplebucket";

    InitializeSdk();

    ClientConfiguration conf;
    conf.signatureVersion = SignatureVersionType::V4;
    auto credentialsProvider = std::make_shared<EnvironmentVariableCredentialsProvider>();
    OssClient client(Endpoint, credentialsProvider, conf);
    client.SetRegion(Region);

    /* Overwrite the existing rules with an empty list to clear hotlink protection. */
    SetBucketRefererRequest request(BucketName);
    request.setAllowEmptyReferer(true);

    auto outcome = client.SetBucketReferer(request);

    if (!outcome.isSuccess()) {
        std::cout << "CleanBucketReferer fail"
                  << ", code: "      << outcome.error().Code()
                  << ", message: "   << outcome.error().Message()
                  << ", requestId: " << outcome.error().RequestId() << std::endl;
        return -1;
    }

    ShutdownSdk();
    return 0;
}

What's next

For the complete sample code, see GitHub.
For the PutBucketReferer API reference, see PutBucketReferer.
For the GetBucketReferer API reference, see GetBucketReferer.