When your CDN-delivered resources are exposed to hotlinking, unauthorized clients, or malicious traffic, Alibaba Cloud CDN provides five access control features to filter incoming requests and restrict access to your content.
| Feature | When to use it |
|---|---|
| Configure a Referer whitelist or blacklist to enable hotlink protection | Block or allow requests based on the HTTP Referer header. Use this to prevent other websites from embedding your resources — images, videos, or files — without permission. |
| Configure URL signing | Require a time-limited signature in every request URL. CDN edge nodes validate the signature, so only requests with a valid token can retrieve content. Use this to protect security-sensitive files where Referer-based hotlink protection is not sufficient. |
| Configure remote authentication | Delegate request authentication to an authentication server that you designate. Only authorized requests can retrieve resources from Alibaba Cloud CDN. Use this when you need custom authentication logic. |
| Configure an IP address blacklist or whitelist | Block or allow requests from specific IP addresses. Use this to block suspected malicious traffic or to allow only trusted services. |
| Configure a User-Agent blacklist or whitelist | Block or allow requests based on the User-Agent header. Use this to restrict access to known clients. |
Choosing a feature
Use the following guidance to select the right feature for your scenario:
| Scenario | Recommended feature |
|---|---|
| Block other websites from embedding your images or videos | Referer whitelist or blacklist |
| Protect downloadable files or streams from unauthorized access | URL signing |
| Apply custom authentication logic (for example, check session tokens or user roles) | Remote authentication |
| Block traffic from known malicious IP addresses or allow only trusted IPs | IP address blacklist or whitelist |
| Block specific bots, crawlers, or clients by browser identity | User-Agent blacklist or whitelist |
URL signing vs. remote authentication: Both protect resources from unauthorized access. URL signing is performed by CDN edge nodes and supports custom signature strings and timestamps. Remote authentication delegates validation to an authentication server that you designate, which gives you full control over the authentication logic.