All Products
Document Center

Object Storage Service:OSS hotlink protection FAQ and troubleshooting

Last Updated:Mar 13, 2024

To prevent others from hotlinking your objects in Object Storage Service (OSS) and avoid expensive traffic bills due to hotlinking, you can configure Referer-based hotlink protection. However, subsequent tests show that your hotlink protection configurations fail to produce expected results. This topic provides some commonly asked questions about hotlink protection.

What do I do if my Referer configurations fail to produce expected results?

If your Referer configurations for a bucket fail to produce expected results, you need to check your browser configurations, bucket configurations, and Alibaba Cloud CDN configurations.





Check whether the browser modifies the value of the Referer header or set the header to a specific value. In some browser environments, such as WeChat mini programs and iframe, the Referer header may be changed or set to a specific value.

Check the actual Referers in requests that access data in your bucket by using OSS logs or the developer tool of the browser, and reconfigure the Referer header accordingly. For more information, see Check Referers in OSS resource requests from other websites


Check whether your Referer configurations are invalid. If your Referer configurations are invalid, OSS cannot apply the Referer configurations. For example, requests from browsers generally use the http or https protocol. If you do not include the http:// or https:// protocol in your Referer configurations, the configurations cannot produce expected results.

Correctly configure the Referer header. For more information, see Referer configurations.


Check whether Referer configurations are absent on Alibaba Cloud CDN. If you use Alibaba Cloud CDN to accelerate access to OSS without separately configuring Referers on the Alibaba Cloud CDN side, Alibaba Cloud CDN uses cached data to accelerate access using the accelerated domain name and ignores Referer configurations on the OSS side. For example, a first request to access data in OSS from Alibaba Cloud CDN includes a Referer in the OSS Referer whitelist and obtains the requested data, which is also cached on Alibaba Cloud CDN. A second request to access the same data succeeds using Alibaba Cloud CDN, even if the request does not include a Referer.

If you use Alibaba Cloud CDN together with OSS and apply Referer configurations on OSS, apply the same Referer configurations on Alibaba Cloud CDN. For more information, see Configure a Referer whitelist or blacklist to enable hotlink protection.

Why is the "You are denied by bucket referrer policy" error returned for a request that accesses OSS data from WeChat mini programs?

When a request for a resource on another webpage is made from a WeChat mini program, the Referer is often the domain name of WeChat, not the domain name of the webpage on which the requester is located. This is because requests from WeChat mini programs are sent from the WeChat client environment, not traditional browser webpages. To allow requests that access OSS objects from WeChat mini programs, add * to the Referer whitelist.

Why is the "You are denied by bucket referrer policy" error returned when a requester uses object URLs in a browser to access data?

The bucket that stores the requested data is configured to deny requests with an empty Referer header, and no Referer is included when an object URL is used in the address bar of a browser to access the object. To allow URL-based access from browsers, configure the bucket to allow requests that have an empty Referer header.

Why do I receive the InlineDataTooLarge error when I configure a Referer list?

The Referer list exceeds the maximum size (20 KB). You need to reduce the number of Referers in the list to meet the size requirement.