All Products
Search

This Product

    Object Storage Service:Hotlink protection with OSS SDK for Go 2.0

    Document Center

    Object Storage Service:Hotlink protection with OSS SDK for Go 2.0

    Last Updated:Mar 20, 2026

    Use the OSS Go SDK to configure Referer-based access rules for a bucket — including a whitelist, a blacklist, and a policy for empty Referer requests. These rules block unauthorized referrers, prevent hotlinking of your resources, and reduce unexpected traffic charges.

    Prerequisites

    Before you begin, ensure that you have:

    • Read Hotlink protection to understand the feature

    • The oss:PutBucketReferer permission to set or clear hotlink protection

    • The oss:GetBucketReferer permission to retrieve the hotlink protection configuration

    • Access credentials stored as environment variables. For details, see Configure access credentials

    Note: The sample code defaults to the China (Hangzhou) region (cn-hangzhou) with a public endpoint. If you access OSS from another Alibaba Cloud service in the same region, use the internal endpoint instead. For region-to-endpoint mappings, see OSS regions and endpoints.

    Sample code

    Set hotlink protection

    The following example sets a Referer whitelist and blacklist for a bucket. Both lists support the asterisk (*) and question mark (?) wildcard characters.

    package main

import (
	"context"
	"flag"
	"log"

	"github.com/aliyun/alibabacloud-oss-go-sdk-v2/oss"
	"github.com/aliyun/alibabacloud-oss-go-sdk-v2/oss/credentials"
)

// Define global variables.
var (
	region     string // The region.
	bucketName string // The bucket name.
)

// The init function is used to initialize command-line parameters.
func init() {
	flag.StringVar(&region, "region", "", "The region in which the bucket is located.")
	flag.StringVar(&bucketName, "bucket", "", "The name of the bucket.")
}

func main() {
	// Parse command-line parameters.
	flag.Parse()

	// Check whether the bucket name is empty.
	if len(bucketName) == 0 {
		flag.PrintDefaults()
		log.Fatalf("invalid parameters, bucket name required")
	}

	// Check whether the region is empty.
	if len(region) == 0 {
		flag.PrintDefaults()
		log.Fatalf("invalid parameters, region required")
	}

	// Load the default configurations and set the credential provider and region.
	cfg := oss.LoadDefaultConfig().
		WithCredentialsProvider(credentials.NewEnvironmentVariableCredentialsProvider()).
		WithRegion(region)

	// Create an OSS client.
	client := oss.NewClient(cfg)

	// Create a request to set hotlink protection for the bucket.
	request := &oss.PutBucketRefererRequest{
		Bucket: oss.Ptr(bucketName), // The bucket name.
		RefererConfiguration: &oss.RefererConfiguration{
			AllowEmptyReferer: oss.Ptr(true),
			RefererList: &oss.RefererList{
				Referers: []string{
					"http://www.aliyun.com",
					"https://www.aliyun.com",
					"https://www.www.alibabacloud.com/help",
					"http://www.?.aliyuncs.com",
				},
			}, // Add Referers to the Referer whitelist. The Referer parameter supports the asterisk (*) and question mark (?) wildcard characters.
			RefererBlacklist: &oss.RefererBlacklist{
				Referers: []string{
					"http://www.refuse.com",
					"https://*.hack.com",
					"http://ban.*.com",
					"https://www.?.deny.com",
				},
			}, // Add Referers to the Referer blacklist.
		},
	}

	// Execute the request to set hotlink protection for the bucket.
	result, err := client.PutBucketReferer(context.TODO(), request)
	if err != nil {
		log.Fatalf("failed to put bucket referer %v", err)
	}

	// Print the result of setting hotlink protection for the bucket.
	log.Printf("put bucket referer result:%#v\n", result)
}

    Get hotlink protection settings

    package main

import (
	"context"
	"flag"
	"log"

	"github.com/aliyun/alibabacloud-oss-go-sdk-v2/oss"
	"github.com/aliyun/alibabacloud-oss-go-sdk-v2/oss/credentials"
)

// Define global variables.
var (
	region     string // The region.
	bucketName string // The bucket name.
)

// The init function is used to initialize command-line parameters.
func init() {
	flag.StringVar(&region, "region", "", "The region in which the bucket is located.")
	flag.StringVar(&bucketName, "bucket", "", "The name of the bucket.")
}

func main() {
	// Parse command-line parameters.
	flag.Parse()

	// Check whether the bucket name is empty.
	if len(bucketName) == 0 {
		flag.PrintDefaults()
		log.Fatalf("invalid parameters, bucket name required")
	}

	// Check whether the region is empty.
	if len(region) == 0 {
		flag.PrintDefaults()
		log.Fatalf("invalid parameters, region required")
	}

	// Load the default configurations and set the credential provider and region.
	cfg := oss.LoadDefaultConfig().
		WithCredentialsProvider(credentials.NewEnvironmentVariableCredentialsProvider()).
		WithRegion(region)

	// Create an OSS client.
	client := oss.NewClient(cfg)

	// Create a request to get the Referer configuration of the bucket.
	request := &oss.GetBucketRefererRequest{
		Bucket: oss.Ptr(bucketName), // The bucket name.
	}

	// Execute the operation to get the Referer configuration of the bucket and process the result.
	result, err := client.GetBucketReferer(context.TODO(), request)
	if err != nil {
		log.Fatalf("failed to get bucket referer %v", err)
	}

	// Print the result of getting the Referer configuration of the bucket.
	log.Printf("get bucket referer result:%#v\n", result.RefererConfiguration.RefererList.Referers)
}

    Clear hotlink protection

    Clearing hotlink protection calls the same PutBucketReferer API as setting it, but passes an empty Referers list.

    package main

import (
	"context"
	"flag"
	"log"

	"github.com/aliyun/alibabacloud-oss-go-sdk-v2/oss"
	"github.com/aliyun/alibabacloud-oss-go-sdk-v2/oss/credentials"
)

// Define global variables.
var (
	region     string // The region.
	bucketName string // The bucket name.
)

// The init function is used to initialize command-line parameters.
func init() {
	flag.StringVar(&region, "region", "", "The region in which the bucket is located.")
	flag.StringVar(&bucketName, "bucket", "", "The name of the bucket.")
}

func main() {
	// Parse command-line parameters.
	flag.Parse()

	// Check whether the bucket name is empty.
	if len(bucketName) == 0 {
		flag.PrintDefaults()
		log.Fatalf("invalid parameters, bucket name required")
	}

	// Check whether the region is empty.
	if len(region) == 0 {
		flag.PrintDefaults()
		log.Fatalf("invalid parameters, region required")
	}

	// Load the default configurations and set the credential provider and region.
	cfg := oss.LoadDefaultConfig().
		WithCredentialsProvider(credentials.NewEnvironmentVariableCredentialsProvider()).
		WithRegion(region)

	// Create an OSS client.
	client := oss.NewClient(cfg)

	// Create a request to set hotlink protection for the bucket.
	request := &oss.PutBucketRefererRequest{
		Bucket: oss.Ptr(bucketName), // The bucket name.
		RefererConfiguration: &oss.RefererConfiguration{
			AllowEmptyReferer: oss.Ptr(true),
			RefererList: &oss.RefererList{
				Referers: []string{}, // An empty Referer list.
			},
		},
	}

	// Execute the request to set hotlink protection for the bucket.
	result, err := client.PutBucketReferer(context.TODO(), request)
	if err != nil {
		log.Fatalf("failed to put bucket referer %v", err)
	}

	// Print the result of setting hotlink protection for the bucket.
	log.Printf("put bucket referer result:%#v\n", result)
}

    API reference

    What's next