Use the PHP SDK to configure Referer-based hotlink protection to prevent other websites from referencing OSS files - Object Storage Service

Use OSS SDK for PHP 2.0 to configure access control policies that rely on the Referer request header. This allows you to define a Referer whitelist, a Referer blacklist, and choose whether to allow requests with an empty Referer header. By implementing these rules, you can effectively prevent unauthorized hotlinking of your resources and reduce unnecessary data transfer costs.

Usage notes

Before configuring hotlink protection, make sure you understand how this feature works. For more information, see Hotlink protection.
The sample code in this topic uses the China (Hangzhou) region (cn-hangzhou) as an example. By default, the public endpoint is used. If you want to access OSS from another Alibaba Cloud service in the same region, use the internal endpoint. For a full list of supported regions and endpoints, see Regions and endpoints.
Setting or clearing hotlink protection configurations requires the oss:PutBucketReferer permission, while obtaining hotlink protection configurations requires the oss:GetBucketReferer permission. For more information, see Grant custom permissions to a RAM user.

Sample code

Set hotlink protection

This code shows how to configure hotlink protection:

<?php

// Import the autoloader file to load dependencies.
require_once __DIR__ . '/../vendor/autoload.php';

use AlibabaCloud\Oss\V2 as Oss;

// Define the command-line argument descriptions.
$optsdesc = [
    "region" => ['help' => 'The region in which the bucket is located', 'required' => True], // The region is required. This is the region where the bucket is located.
    "endpoint" => ['help' => 'The domain names that other services can use to access OSS', 'required' => False], // The endpoint is optional. This is the domain name that other services can use to access OSS.
    "bucket" => ['help' => 'The name of the bucket', 'required' => True], // The bucket name is required.
];

// Generate a list of long options to parse command-line arguments.
$longopts = \array_map(function ($key) {
    return "$key:"; // Add a colon after each parameter to indicate that a value is required.
}, array_keys($optsdesc));

// Parse the command-line arguments.
$options = getopt("", $longopts); 

// Check for missing required parameters.
foreach ($optsdesc as $key => $value) {
    if ($value['required'] === True && empty($options[$key])) {
        $help = $value['help'];
        echo "Error: the following arguments are required: --$key, $help"; // Prompt the user that a required parameter is missing.
        exit(1); 
    }
}

// Obtain argument values.
$region = $options["region"]; // The region where the bucket is located.
$bucket = $options["bucket"]; // The bucket name.

// Use environment variables to load credential information, including AccessKeyId and AccessKeySecret.
$credentialsProvider = new Oss\Credentials\EnvironmentVariableCredentialsProvider();

// Use the default configurations of the SDK.
$cfg = Oss\Config::loadDefault();

// Set the credential provider.
$cfg->setCredentialsProvider($credentialsProvider);

// Set the region.
$cfg->setRegion($region);

// If an endpoint is provided, set the endpoint.
if (isset($options["endpoint"])) {
    $cfg->setEndpoint($options["endpoint"]);
}

// Create an OSS client instance.
$client = new Oss\Client($cfg);

// Create a request object to set the hotlink protection configuration for the bucket. Configure allowEmptyReferer to false and set the Referer list.
$request = new Oss\Models\PutBucketRefererRequest(bucket: $bucket,
    refererConfiguration: new Oss\Models\RefererConfiguration(
        allowEmptyReferer: false,
        refererList: new Oss\Models\RefererList([""]),
    )
);

// Call the putBucketReferer method to set the hotlink protection configuration for the bucket.
$result = $client->putBucketReferer($request);

// Print the result.
printf(
    'status code:' . $result->statusCode . PHP_EOL . // The HTTP response status code.
    'request id:' . $result->requestId // The unique identifier of the request.
);

Obtain hotlink protection settings

This code shows how to retrieve the hotlink protection configuration:

<?php

// Import the autoloader file to load dependencies.
require_once __DIR__ . '/../vendor/autoload.php';

use AlibabaCloud\Oss\V2 as Oss;

// Define the command-line argument descriptions.
$optsdesc = [
    "region" => ['help' => 'The region in which the bucket is located', 'required' => True], // The region is required. This is the region where the bucket is located.
    "endpoint" => ['help' => 'The domain names that other services can use to access OSS', 'required' => False], // The endpoint is optional. This is the domain name that other services can use to access OSS.
    "bucket" => ['help' => 'The name of the bucket', 'required' => True], // The bucket name is required.
];

// Generate a list of long options to parse command-line arguments.
$longopts = \array_map(function ($key) {
    return "$key:"; // Add a colon after each parameter to indicate that a value is required.
}, array_keys($optsdesc));

// Parse the command-line arguments.
$options = getopt("", $longopts); 

// Check whether required parameters are missing.
foreach ($optsdesc as $key => $value) {
    if ($value['required'] === True && empty($options[$key])) {
        $help = $value['help'];
        echo "Error: the following arguments are required: --$key, $help"; // Prompt the user that a required parameter is missing.
        exit(1); 
    }
}

// Obtain the command-line argument values.
$region = $options["region"]; // The region where the bucket is located.
$bucket = $options["bucket"]; // The bucket name.

// Use environment variables to load credential information, including AccessKeyId and AccessKeySecret.
$credentialsProvider = new Oss\Credentials\EnvironmentVariableCredentialsProvider();

// Use the default configurations of the SDK.
$cfg = Oss\Config::loadDefault();

// Set the credential provider.
$cfg->setCredentialsProvider($credentialsProvider);

// Set the region.
$cfg->setRegion($region);

// If an endpoint is provided, set the endpoint.
if (isset($options["endpoint"])) {
    $cfg->setEndpoint($options["endpoint"]);
}

// Create an OSS client instance.
$client = new Oss\Client($cfg);

// Create a request object to obtain the hotlink protection configuration of the bucket.
$request = new Oss\Models\GetBucketRefererRequest(bucket: $bucket);

// Call the getBucketReferer method to obtain the hotlink protection configuration of the bucket.
$result = $client->getBucketReferer($request);

// Print the result.
printf(
    'status code:' . $result->statusCode . PHP_EOL . // The HTTP response status code.
    'request id:' . $result->requestId . PHP_EOL . // The unique identifier of the request.
    'referer config:' . var_export($result->refererConfiguration, true) // The hotlink protection configuration.
);

References

For more information about the API operation used to set hotlink protection, see PutBucketReferer.
For more information about the API operation used to obtain hotlink protection configurations, see GetBucketReferer.