Configure source image protection for images in a bucket - Object Storage Service

Source image protection prevents anonymous users from directly accessing original images stored in your OSS bucket. After you enable it, images are accessible only through style-parameterized URLs or signed URLs — direct, unauthenticated requests are denied.

The source image protection rule feature is in public preview. Contact technical support to apply for access.

How it works

Source image protection targets anonymous access only. Requests that carry a valid signature are not treated as anonymous, so they always go through — this is why signed URLs and CDN-cached content can still reach your images even with protection enabled.

Two URL formats remain accessible after you enable source image protection:

Access method	URL format	When to use
Style-parameterized URL	`https://BucketName.Endpoint/ObjectName?x-oss-process=style/StyleName`	Serve processed images (resized, watermarked, etc.) to end users without exposing the source
Signed URL	`https://BucketName.Endpoint/ObjectName?Signature`	Grant time-limited, authenticated access to the original image from your backend or trusted clients

Prerequisites

Before you begin, make sure you have:

An OSS bucket with images you want to protect

Enable source image protection

Log on to the OSS console.
In the left-side navigation pane, click Buckets. On the Buckets page, find and click the target bucket.
In the left-side navigation tree, choose Data Processing > IMG.
On the IMG page, click Access Settings.
In the Access Settings panel, turn on Source Image Protection.

Configure the parameters:

Source image protection rule

Define which images to protect by prefix, suffix, or both. Up to 10 rules are supported.

Setting	Description
Prefix	Matches objects whose names start with the specified string. Use a prefix ending with `/` to protect an entire directory — for example, `image/` protects all objects under `image/`.
Suffix	Matches objects whose names end with the specified string.
Prefix + suffix	When both are set, only objects whose names match both conditions are protected by that rule.
Case Insensitive	Select this checkbox to make prefix and suffix matching case-insensitive.

If multiple rules are configured, an object is protected if it matches any rule. If both protection rules and protected image extensions are set, an object is protected if it satisfies either condition.

Protected image extensions

Select an extension from the Protected Image Extensions drop-down list to protect all objects in the bucket with that extension. Select * to protect all image objects regardless of extension.

Delimiters

Supported delimiters: hyphens (-), underscores (_), forward slashes (/), and exclamation points (!).

Delimiters let you use a shorter URL format instead of the full x-oss-process=style/StyleName query string. For example, if you set ! as the delimiter, the following two URLs are equivalent:

https://BucketName.Endpoint/ObjectName?x-oss-process=style/StyleName
http(s)://BucketName.Endpoint/ObjectName!StyleName

Click OK.

FAQ

Why does a protected image return HTTP 403 on direct access but HTTP 200 through Alibaba Cloud CDN?

CDN requests include signature information, so they are not treated as anonymous. Source image protection only blocks anonymous requests, so CDN-served content is unaffected.

Why can the original image still be accessed with a signed URL after source image protection is enabled?

Source image protection applies to anonymous access only. A signed URL carries authentication information, so the requester is not anonymous — protection does not apply.