Object Storage Service:Hotlink protection using OSS SDK for Node.js

Prerequisites

Before you begin, make sure you have:

• Reviewed the hotlink protection feature overview

• The oss:PutBucketReferer permission (to set or delete rules) or oss:GetBucketReferer permission (to get the configuration). For details, see Grant custom access policies to a RAM user

• OSS_ACCESS_KEY_ID and OSS_ACCESS_KEY_SECRET set as environment variables

Usage notes

• The examples use the public endpoint for the China (Hangzhou) region. To access OSS from another Alibaba Cloud service in the same region, use an internal endpoint instead. For supported regions and endpoints, see Regions and endpoints.

• The examples create an OSSClient instance using an OSS endpoint. To use a custom domain name or Security Token Service (STS), see Initialization.

Set hotlink protection rules

putBucketReferer(bucketName, allowEmpty, referers) sets the Referer whitelist or blacklist for a bucket.

The allowEmpty parameter controls whether requests with no Referer header are allowed.

const OSS = require('ali-oss')

const client = new OSS({
  // Replace yourregion with the region where the bucket is located.
  // For example, if the bucket is in China (Hangzhou), use oss-cn-hangzhou.
  region: 'yourregion',
  // Read access credentials from environment variables.
  accessKeyId: process.env.OSS_ACCESS_KEY_ID,
  accessKeySecret: process.env.OSS_ACCESS_KEY_SECRET,
  authorizationV4: true,
  // Replace examplebucket with your bucket name.
  bucket: 'examplebucket'
});

async function putBucketReferer() {
  try {
    const result = await client.putBucketReferer(
      client.options.bucket,
      true,                          // allowEmpty: allow requests with no Referer header
      [
        'http://www.aliyun.com',
        'https://www.aliyun.com'
      ]
    );
    console.log(result);
  } catch (e) {
    console.log(e);
  }
}

putBucketReferer();

Get the hotlink protection configuration

getBucketReferer(bucketName) retrieves the current Referer whitelist or blacklist for a bucket.

const OSS = require('ali-oss')

const client = new OSS({
  // Replace yourregion with the region where the bucket is located.
  // For example, if the bucket is in China (Hangzhou), use oss-cn-hangzhou.
  region: 'yourregion',
  // Read access credentials from environment variables.
  accessKeyId: process.env.OSS_ACCESS_KEY_ID,
  accessKeySecret: process.env.OSS_ACCESS_KEY_SECRET,
  authorizationV4: true,
  // Replace yourbucketname with your bucket name.
  bucket: 'yourbucketname'
});

async function getBucketReferer() {
  try {
    const result = await client.getBucketReferer('bucket-name');
    console.log(result);
  } catch (e) {
    console.log(e);
  }
}

getBucketReferer();

Delete hotlink protection rules

deleteBucketReferer(bucketName) removes all hotlink protection rules from a bucket. After deletion, the bucket has no Referer-based access restrictions.

const OSS = require('ali-oss')

const client = new OSS({
  // Replace yourregion with the region where the bucket is located.
  // For example, if the bucket is in China (Hangzhou), use oss-cn-hangzhou.
  region: 'yourregion',
  // Read access credentials from environment variables.
  accessKeyId: process.env.OSS_ACCESS_KEY_ID,
  accessKeySecret: process.env.OSS_ACCESS_KEY_SECRET,
  authorizationV4: true,
  // Replace yourbucketname with your bucket name.
  bucket: 'yourbucketname'
});

async function deleteBucketReferer() {
  try {
    const result = await client.deleteBucketReferer('bucket-name');
    console.log(result);
  } catch (e) {
    console.log(e);
  }
}

deleteBucketReferer();

References

• GitHub sample code — complete examples for hotlink protection

• PutBucketReferer — API reference for setting hotlink protection rules

• GetBucketReferer — API reference for getting the hotlink protection configuration