Hotlink protection allows you to ensure that your Object Storage Service (OSS) objects are embedded only on specific webpages, preventing unauthorized access and bandwidth theft. This topic provides common configuration examples of hotlink protection.
Only allow webpages from your own domain to reference OSS objects and disallow webpages from other domains
To permit only webpages from your own domain, such as www.example.com, to reference OSS objects, add http://www.example.com and https://www.example.com to the Referer whitelist. This action ensures that requests from other webpages are blocked by the Referer hotlink protection policy.
Disallow webpages from certain domains to reference OSS objects
If you want to prevent webpages from certain domains from referencing OSS objects without affecting others, set the Referer whitelist to *. Then, add the domains you want to block to the Referer blacklist, such as *example.com. This configuration ensures that requests from those specific domains are blocked by the Referer hotlink protection policy.
Allow OSS console to download and preview OSS objects
To enable downloading and previewing of OSS objects via the OSS console after setting up hotlink protection, add *.console.aliyun.com to the Referer whitelist. This inclusion ensures that the OSS console requests are not blocked by the Referer hotlink protection policy.
Allow users to access OSS objects referenced in webpages through WeChat mini programs
For WeChat mini program users accessing webpage files, the Referer header is typically set to the mini program's own domain. To allow access to OSS objects referenced in webpages through WeChat mini programs, add *servicewechat.com to the Referer whitelist, ensuring requests are not blocked by the Referer hotlink protection policy.
Disallow users from accessing OSS objects by entering the URL in the browser address bar
Direct URL access to OSS objects via the browser address bar doesn't include the Referer header, as it's not initiated by a webpage link or embedded content. To block this type of access, set the empty Referer to disallow in the hotlink protection policy.
