All Products
Search
Document Center

Object Storage Service:Configure hotlink protection to prevent unauthorized access to your data

Last Updated:Aug 16, 2024

Object Storage Service (OSS) allows you to configure a Referer-based filtering policy to block requests that contain specific Referers from accessing data in your bucket. This way, you can prevent unauthorized access and unexpected traffic fees.

Scenarios

  • Block unauthorized access: Hotlink protection allows you to block specific websites from accessing or downloading your images, audio data, video data, or copyrighted content without permissions.

  • Reduce bandwidth and resource usage: Hotlink protection prevents other websites from linking to your resources, which reduces your bandwidth usage and loads on your server.

  • Protect paid content: In paid content scenarios, hotlink protection ensures that only content buyers can access and use paid content, preventing unauthorized content dissemination and piracy.

  • Share data with partners: Hotlink protection can allow only specific partners to access and use resources.

Terms

  • Hotlink: the act of a website directly linking to content that is hosted on a different website and displaying the content without permissions.

  • Hotlink protection: the act of preventing access from unauthorized websites or users by configuring a Referer-based filtering policy.

  • Referer: the HTTP request header that contains the URL from which a request is sent. Two common usage scenarios of the Referer header are hotlink protection and data monitoring. For example, in hotlink protection scenarios, you can configure the Referer header to allow only your own domain names to request images hosted on your server and deny requests from other sources. In data monitoring scenarios, you can check the Referer header to monitor the URLs from which the requests are sent.

  • Empty Referer: an empty Referer header or no Referer header in an HTTP request. The Referer header is empty in either of the following circumstances: the request is an HTTP request from an HTTPS page or the request is not triggered from a link. For example, no Referer data is passed when you enter a URL in the address bar of a browser to request a resource.

  • Whitelist: a list of Referers from which requests are allowed. You can configure a whitelist to specify the Referers that are allowed to access resources in a bucket.

  • Blacklist: a list of Referers from which requests are denied. You can configure a blacklist to specify the Referers that are blocked to access resources in a bucket.

  • Query string: the part of a URL that contains query parameters. A query string is the part that follows the question mark (?) in a URL and is in the form of key-value pairs.

How it works

When a browser sends a request to access an object in a bucket, the Referer header is included in the request to specify the source from which the request is sent. If hotlink protection is configured for the bucket, OSS compares the Referer in the request with the Referer configurations of the bucket.

  • If the Referer in the request is included in the Referer blacklist or is not included in the Referer whitelist, the request is denied.

  • If the Referer in the request is included in the Referer whitelist, the request is allowed.

image

For example, https://10.10.10.10 is included in the Referer whitelist of a bucket and the test.jpg image is stored in the bucket.

  • User A links the test.jpg image to the https://10.10.10.10 website. When the image is requested from the website, the browser sends a request in which the value of the Referer header is https://10.10.10.10. OSS allows the request because the value of the Referer header in the request is included in the Referer whitelist.

  • User B links the test.jpg image to the https://192.168.0.0 website. When the image is requested from the website, the browser sends a request in which the value of the Referer header is https://192.168.0.0. OSS denies the request because the value of the Referer header in the request is not included in the Referer whitelist.

Process

After hotlink protection is enabled, OSS determines the source from which a request is sent based on the value of the Referer header in the request and determines whether to allow the request. The following figure shows the process in detail.

image
  1. Check whether the Referer is empty.

    • If the Referer is empty, check whether empty Referers are allowed.

      • If empty Referers are allowed, the request is allowed.

      • If empty Referers are not allowed and the Referer whitelist is empty, the request is allowed.

      • If empty Referers are not allowed and the Referer whitelist is not empty, the request is denied.

    • If the Referer is not empty, perform Step 2.

  2. Check whether the Referer blacklist is empty.

    • If the Referer blacklist and Referer whitelist are empty, the request is allowed.

    • If the Referer blacklist is empty and the Referer whitelist is not empty, skip Step 3 and perform Step 4.

    • If the Referer blacklist is not empty, perform Step 3.

  3. Traverse the Referer blacklist.

    • If the Referer is included in the Referer blacklist, the request is denied.

    • If the Referer is not included in the Referer blacklist, perform Step 4.

  4. Traverse the Referer whitelist.

    • If the Referer is included in the Referer whitelist, the request is allowed.

    • If the Referer is not included in the Referer whitelist, the request is denied.

Usage notes

  • OSS supports only bucket-level hotlink protection. You cannot configure hotlink protection for objects or directories in a bucket.

  • Only URL-based access (GetObject) and anonymous access are verified based on the hotlink protection configurations.

  • Requests that contain the Authorization header are not verified based on hotlink protection configurations.

  • You can add multiple Referers separated by commas (,) to the Referer whitelist and blacklist of a bucket.

  • OSS checks the Referer header in requests to a bucket for which hotlink protection is configured, regardless of the access control list (ACL) of the bucket.

  • When you use the domain name of a bucket, whether a default one or a custom one, to preview an MP4 object in a bucket for which hotlink protection is configured, you must add the bucket domain name to the Referer whitelist and allow empty Referers. This is because the browser sends two requests: one contains an actual Referer and the other contains an empty Referer. The MP4 object can be played only when the two requests are successful. If you preview a non-MP4 object by using a domain name of the bucket, you need to only allow empty Referers.

Error codes

References