Hotlink Protection

Last updated: 2019-08-12 15:04:55


Description of the Feature

Tencent Cloud COS has hotlink protection, and it is recommended that you configure the blacklist/whitelist in Hotlink Protection Settings in the console for security protection purpose.

Case of Hotlinking

User A uploaded the image resource 1.jpg in COS, got the access link, and embedded the image in his web page, which can be accessed normally.
User B saw the image on and embedded the link of 1.jpg in his web page which can also display the image normally.
In the above case, A's image 1.jpg was hotlinked by B. A was not aware of its COS resource was continuously used by B's web page and A paid for the extra traffic cost.

Hotlink protection is determined by Referer in the request Header:

  • Referer is part of the Header. Referer is generally added when the browser sends a request to the Web server to indicate the page from which the request is linked, and the server can allow or deny access to resources by websites from certain sources.
  • If you directly open the file link in the browser, the request Header will not contain Referer.

In the following figure, for example, 1.jpg is embedded in, and the Referer that points to the access source is added when you access test.html:


  1. Log in to the COS Console, click Bucket List in the left sidebar, and click the bucket for which you want to set hotlink protection to enter the bucket.
  2. In the bucket details page, click Basic Configuration, find Hotlink Protection Settings, and click Edit.
  3. Set the current status to Enabled, select a list type (blacklist or whitelist), enter applicable domain names, and then click Save. After enabling Hotlink Protection, you must enter applicable domain names.

Setting rules

  • Select blacklist or whitelist:
    • Blacklist: Domain names on this list are not allowed to access the default access address of the bucket. 403 is returned if any domain name on the list accesses such address.
    • Whitelist: Only domain names on this list are allowed to access the default access address of the bucket. 403 is returned if any domain name not on the list accesses such address.
  • Examples
    • Domain names and IPs with ports are supported, such as and
    • Configuring will hit addresses prefixed with, such as and
    • Configuring will hit addresses prefixed with, such as and
    • Configuring will hit its domain name with port
    • Configuring will not hit the domain name
    • Configuring will limit its second-level and third-level domain names,, and
  • A maximum of 10 addresses including domain names and IPs are supported. Wildcard * in addresses is allowed and domain names with the same prefix are also subject to the list. One address per line.

Configuration Example

We use the Case of Hotlinking above as an example to introduce how user A can set hotlink protection and prevent user B from hotlinking images:

  1. User A sets hotlink protection rules for the bucket "test". You can use one of the following methods to prevent from hotlinking based on the actual situation:

    • Method 1: Configure the blacklist by entering the domain name *, and save it.

    • Method 2: Configure the whitelist by entering the domain name *, and save it.

  2. After hotlink protection is enabled:

    • The image is displayed normally when is accessed.

    • The image cannot be displayed when is accessed, as shown below.


Why the hotlink protection still did not work after I enabled the CDN acceleration for the bucket and used CDN domain name to access resources?

Since you are using a CDN domain name, the resources will be cached in the CDN, resulting in unstable performance. You need to configure hotlink protection in the CDN Console.

Can I set a whitelist to allow access and access resources when I open a link in the browser?

When you directly open a link in the browser, Referer is empty. Referer cannot be configured separately.

The whitelist of hotlink protection for the bucket "test" is set to allow access to, but the Web Player under cannot play video files under the bucket "test".

When you open a video link and use Windows Media Player, Flash Player and other players to play the video on the web page, the Referer in the request is empty, in which case its domain name on the whitelist is not hit. It is recommended to configure a blacklist to ensure normal access when Referer is empty.