Tencent Cloud COS provides hotlink protection to help users avoid unnecessary losses caused by malicious programs' stealing public network traffic using resource URLs or stealing resources. We recommend that you configure the blocklist/allowlist in Hotlink Protection Settings on the console to ensure security protection.
Note:
- If a signature is carried in the access URL or headers, hotlink protection−based verification will not be performed.
- When configuring hotlink protection, you can add your domain to the allowlist for the multipart upload request of large files.
Blocklist: domain names on this list are not allowed to access the default access address of the bucket. 403 is returned if any domain name on the list accesses such address.
Allowlist: domain names on this list are allowed to access the default access address of the bucket. 403 is returned if any domain name not on the list accesses such address.
Empty referer: For an HTTP request, the header referer can be left empty (i.e., the HTTP request header has no referer field or the referer field is empty).
Referer: You can enter up to 10 domain names (which can be used to represent all domain names with a particular prefix), with one domain name per line. Supported address formats include domain name, IP address, and the wildcard *
; Examples are outlined below:
If www.example.com
is specified, www.example.com/123
, www.example.com.cn
, and other addresses with the prefix of www.example.com
will also be included in the list.
Domain names and IPs with ports are supported, such as www.example.com:8080
and 10.10.10.10:8080
.
If *.example.com
is specified, addresses such as a.b.example.com/123
and a.example.com
are also included.
Note:If accelerated access is implemented via a CDN endpoint domain name, CDN hotlink protection rules will be executed before COS hotlink protection rules.
A user with the APPID of 1250000000 creates a bucket named examplebucket-1250000000 and places an image picture.jpg in the root directory. COS has generated the following default access address according to the rules:
examplebucket-1250000000.file.myqcloud.com/picture.jpg
User A owns a website:
www.example.com
and embeds the image into the homepage index.html.
Webmaster B manages a website:
www.fake.com
and wants to put this image on www.fake.com
. But he doesn't want to pay for traffic costs. He creates a direct link to picture.jpg through the following address and places it into the homepage index.html on www.fake.com
.
examplebucket-1250000000.file.myqcloud.com/picture.jpg
In such cases, to avoid losses for User A, we provide the following two methods of enabling hotlink protection.
The blocklist method: Add *.fake.com
to the blocklist and save.
The allowlist method: Add *.example.com
to the allowlist and save.
The image is displayed normally when http://www.example.com/index.html
is accessed.
The image is also displayed normally when http://www.fake.com/index.html
is accessed.
The image is displayed normally when http://www.example.com/index.html
is accessed.
The image cannot be displayed when http://www.fake.com/index.html
is accessed.
https://servicewechat.com/{appid}/{version}/page-frame.html
.servicewechat.com
to your hotlink allowlist on the COS console.
Was this page helpful?