All Products
Search

This Product

    Object Storage Service:Hotlink protection (Node.js SDK)

    Document Center

    Object Storage Service:Hotlink protection (Node.js SDK)

    Last Updated:Nov 29, 2025

    You can use the Node.js software development kit (SDK) to configure access rules for Object Storage Service (OSS) based on the Referer request header. You can set a Referer whitelist, a blacklist, and specify whether to allow empty Referer headers. These rules block specified Referers from accessing your OSS files. This prevents hotlinking from other websites and avoids unnecessary traffic costs.

    Notes

    • Before you configure hotlink protection, make sure that you familiarize yourself with this feature. For more information, see Hotlink protection.

    • In this topic, the public endpoint of the China (Hangzhou) region is used. To access OSS from other Alibaba Cloud services in the same region, use an internal endpoint. For details about supported regions and endpoints, see Regions and endpoints.

    • In this topic, an OSSClient instance is created by using an OSS endpoint. If you want to create an OSSClient instance by using custom domain names or Security Token Service (STS), see Initialization.

    • To set or delete hotlink protection rules, you must have the oss:PutBucketReferer permission. To retrieve hotlink protection rules, you must have the oss:GetBucketReferer permission. For more information, see Grant custom access policies to a RAM user.

    Set hotlink protection

    The following code shows how to set hotlink protection rules.

    const OSS = require('ali-oss')

const client = new OSS({
  // Replace yourregion with the region where the bucket is located. For example, if the bucket is in the China (Hangzhou) region, set Region to oss-cn-hangzhou.
  region: 'yourregion',
  // Obtain access credentials from environment variables. Before you run the sample code, make sure that the OSS_ACCESS_KEY_ID and OSS_ACCESS_KEY_SECRET environment variables are configured.
  accessKeyId: process.env.OSS_ACCESS_KEY_ID,
  accessKeySecret: process.env.OSS_ACCESS_KEY_SECRET,
  authorizationV4: true,
  // Specify the bucket name.
  bucket: 'examplebucket'
});

async function putBucketReferer () {
  try {
  const result = await client.putBucketReferer(client.options.bucket, true, [
  'http://www.aliyun.com',
  'https://www.aliyun.com'
  ]);
  console.log(result);
  } catch (e) {
    console.log(e);
  }
 }

putBucketReferer();

    Get the hotlink protection configuration

    The following code shows how to retrieve the hotlink protection configuration.

    const OSS = require('ali-oss')

const client = new OSS({
  // Replace yourregion with the region where the bucket is located. For example, if the bucket is in the China (Hangzhou) region, set the region to oss-cn-hangzhou.
  region: 'yourregion',
  // Obtain access credentials from environment variables. Before you run this code sample, make sure that the OSS_ACCESS_KEY_ID and OSS_ACCESS_KEY_SECRET environment variables are set.
  accessKeyId: process.env.OSS_ACCESS_KEY_ID,
  accessKeySecret: process.env.OSS_ACCESS_KEY_SECRET,
  authorizationV4: true,
  // Replace yourbucketname with the bucket name.
  bucket: 'yourbucketname'
});

async function getBucketReferer () {
  try {
    const result = await client.getBucketReferer('bucket-name');
    console.log(result);
  } catch (e) {
    console.log(e);
  }
}

getBucketReferer();

    Delete hotlink protection rules

    The following code shows how to delete hotlink protection rules.

    const OSS = require('ali-oss')
const client = new OSS({
  // Set yourregion to the region where the bucket is located. For example, if the bucket is in the China (Hangzhou) region, set Region to oss-cn-hangzhou.
  region: 'yourregion',
  // Obtain access credentials from environment variables. Before you run this code sample, make sure that the OSS_ACCESS_KEY_ID and OSS_ACCESS_KEY_SECRET environment variables are configured.
  accessKeyId: process.env.OSS_ACCESS_KEY_ID,
  accessKeySecret: process.env.OSS_ACCESS_KEY_SECRET,
  authorizationV4: true,
  // Set yourbucketname to the bucket name.
  bucket: 'yourbucketname'
});

async function deleteBucketReferer () {
  try {
    const result = await client.deleteBucketReferer('bucket-name');
    console.log(result);
  } catch (e) {
    console.log(e);
  }
}

deleteBucketReferer();

    References

    • For the complete sample code that is used to configure hotlink protection, see GitHub.

    • For more information about the API operation that is used to set hotlink protection rules, see PutBucketReferer.

    • For more information about the API operation that is used to retrieve the hotlink protection configuration, see GetBucketReferer.