All Products
Search
Document Center

Object Storage Service:Hotlink protection examples

Last Updated:Jan 18, 2024

You can use hotlink protection to allow your objects in Object storage Service (OSS) to be embedded into only specific webpages. This prevents unauthorized access to your objects and bandwidth theft. This topic provides common configuration examples of hotlink protection.

Allow only your webpages to access data in your bucket

For example, you want to allow webpages only on your domain name www.example.com to access data in your bucket and deny all access requests from other webpages. To do so, include only http://www.example.com and https://www.example.com in the Referer whitelist.

1.png

Deny access requests from specific domain names

For example, you want to deny access requests from webpages on specific domain names and allow access requests from webpages on other domain names. To do so, add * to the Referer whitelist and add the domain names from which you want to deny access requests, such as *example.com, to the Referer blacklist.

5.png

Allow downloads and previews using the OSS console

If you configure hotlink protection and also want to allow downloads and previews by using the OSS console, add *.console.aliyun.com to the Referer whitelist so that requests from the OSS console are not blocked by your hotlink protection configurations.

3.png

Allow access requests from WeChat mini programs

When a request for a resource on another webpage is made from a WeChat mini program, the Referer is often the domain name of WeChat, not the domain name of the webpage on which the requester is located. This is because requests from WeChat mini programs are sent from the WeChat client environment, not traditional browser webpages. To allow requests that access OSS objects from WeChat mini programs, add *servicewechat.com to the Referer whitelist.

1.png

Deny access by using object URLs in a browser

When a requester requests an OSS object by entering the URL of the object in the address bar of a browser, the HTTP request does not include the Referer header, because the request is not triggered within a webpage or by content embedding. To deny access by using object URLs in a browser, set Allow Empty Referer to No.

示例三.png