Referer-based hotlink protection refers to access control based on the Referer header. For example, you can configure a Referer whitelist to allow only specific requests to access your resources or a blacklist to block specific requests. Referer-based hotlink protection identifies and filters user identities and protects your resources from unauthorized access. After you configure a Referer whitelist or blacklist, Dynamic Content Delivery Network (DCDN) allows or blocks requests based on user identities. If a request is allowed, DCDN returns the URL of the requested resource. Otherwise, DCDN returns HTTP status code 403.
Background information
The Referer header is a component of the header section in HTTP requests and contains information about the source address, including the protocol, domain name, and query string. The Referer header is used to identify the source of a request.
Referer-based hotlink protection is a server-side access control mechanism that is designed to protect resources from unauthorized access. When a user visits a website and clicks a link, the browser automatically adds a Referer field to the HTTP request header, which specifies the URL of the page from which the request is originated.
By default, Referer-based hotlink protection is not enabled in DCDN. This means that all websites can access your resources.
After you add a domain name to the Referer whitelist or blacklist, the wildcard domain name that matches the domain name is automatically added to the whitelist or blacklist. For example, if you add
aliyundoc.com
to the Referer whitelist or blacklist, hotlink protection takes effect for all domain names that match*.aliyundoc.com
.After a Range request is initiated from a domain name, the browser adds the Referer header to the second Range request to identify the referring page of the request. To ensure that subsequent Range requests are not blocked by hotlink protection, add the domain name to the Referer whitelist.
Scenarios
A Referer whitelist or blacklist is suitable for the following scenarios:
Copyright protection: To safeguard copyrighted content on your website, you can use a Referer whitelist or blacklist to allow only authorized websites to access the content.
Hotlink protection: You can configure a Referer whitelist or blacklist to prevent your resources from being used by other websites.
Enhanced website security: Only websites that are included in a Referer whitelist that you configured are allowed to access your website resources. This prevents malicious hotlinking or theft of sensitive information.
Traffic source management: You can manage the domains that are authorized to use your resources. This ensures the security and stability of your website.
You can use the hotlink protection feature of DCDN in different scenarios to protect your website assets, manage traffic sources, and improve website security.
How it works
The server checks the Referer field of each request and rejects a request if the Referer field in the request does not match the pre-configured whitelist of trusted websites. This prevents other websites from directly linking to the resources of the website and helps save bandwidth and server resources. After you configure a Referer whitelist or blacklist, DCDN determines whether to allow a request based on the Referer header in the request and the Referer rules:
If the Referer header in the request is included in the Referer blacklist or is not included in the Referer whitelist, DCDN rejects the request.
If the Referer header in the request is included in the Referer whitelist, DCDN allows the request.
Procedure
Log on to the DCDN console.
In the left-side navigation pane, click Domain Names.
On the Domain Names page, find the domain name that you want to manage and click Configure.
In the left-side navigation tree of the domain name, click Access Control.
On the Hotlink Protection tab, turn on Hotlink Protection.
Select Blacklist or Whitelist based on your business requirements.
Parameter
Description
Type
Blacklist
Requests from domain names in the blacklist cannot access your resources.
Whitelist
Only requests from domain names in the whitelist can access your resources.
NoteThe blacklist and whitelist are mutually exclusive. You can configure only one type of list at a time.
Rules
You can add multiple domain names to the Referer whitelist or blacklist. Enter one domain name per line. Do not add a space in front of the domain names.
You can use asterisks (*) as wildcards. For example, if you add
*.developer.aliyundoc.com
to the whitelist or blacklist,image.developer.aliyundoc.com
andvideo.developer.aliyundoc.com
can be matched.
NoteThe content that you enter in the Rules field cannot exceed 60 KB.
Allow resource URL access from browsers.
By default, the check box is not selected. If you select the check box, requests that contain an empty Referer header are allowed to access DCDN resources, no matter that you configure a Referer whitelist or blacklist. An empty Referer header may suggest one of the following scenarios:
The Referer header is not included in the requests.
The Referer header is included in the requests, but the value is empty.
Click OK.
Matching logic
The following table describes the matching logic of the Referer header. If the Referer header in a request does not match the whitelist or matches the blacklist, DCDN rejects the request and returns HTTP status code 403.
Configured domain name | Referer header value in a request | Matched | Description |
| http://www.example.com/img.jpg | Yes | The domain names in the Referer header match the domain names in the Referer whitelist or blacklist. |
http://www.example.com:80/img.jpg | Yes | ||
www.example.com | No | The value of the Referer header in the request does not include the HTTP or HTTPS string. | |
http://aaa.example.com | Yes | The subdomains in the Referer header are covered by the wildcard domain name in the Referer whitelist or blacklist. | |
http://aaa.bbb.example.com | Yes | ||
http://example.com | No | The domain name in the Referer header does not match the wildcard domain name in the Referer whitelist or blacklist. This is because a wildcard domain matches subdomains but does not cover the root domain. | |
http://www.example.net | No rules matched | The domain name in the Referer header is not included in the blacklist or whitelist. Therefore, the request is allowed according to the default rule. |