Release Notes and Announcements

Release Notes

Announcements

Product Introduction

Overview

Features

Use Cases

Strengths

Concepts

Regions and Access Endpoints

Specifications and Limits

Service Regions and Service Providers

Billing

Billing Overview

Billing Method

Billable Items

Free Tier

Billing Examples

Viewing and Downloading Bill

Payment Overdue

FAQs

Getting Started

Console

Getting Started with COSBrowser

User Guide

Creating Request

Bucket

Object

Data Management

Batch Operation

Global Acceleration

Monitoring and Alarms

Operations Center

Data Processing

Content Moderation

Smart Toolbox

Data Processing Workflow

Application Integration

User Tools

Tool Overview

Installation and Configuration of Environment

COSBrowser

COSCLI (Beta)

COSCMD

COS Migration

FTP Server

Hadoop

COSDistCp

HDFS TO COS

GooseFS-Lite

Online Tools

Diagnostic Tool

Use Cases

Overview

Access Control and Permission Management

Performance Optimization

Accessing COS with AWS S3 SDK

Data Disaster Recovery and Backup

Domain Name Management Practice

Image Processing

Audio/Video Practices

Workflow

Direct Data Upload

Content Moderation

Data Security

Data Verification

Big Data Practice

COS Cost Optimization Solutions

Using COS in the Third-party Applications

Migration Guide

Migrating Local Data to COS

Migrating Data from Third-Party Cloud Storage Service to COS

Migrating Data from URL to COS

Migrating Data Within COS

Migrating Data Between HDFS and COS

Data Lake Storage

Cloud Native Datalake Storage

Metadata Accelerator

GooseFS

Data Processing

Data Processing Overview

Image Processing

Media Processing

Content Moderation

File Processing Service

File Preview

Troubleshooting

Obtaining RequestId

Slow Upload over Public Network

403 Error for COS Access

Resource Access Error

POST Object Common Exceptions

API Documentation

Introduction

Common Request Headers

Common Response Headers

Error Codes

Request Signature

Action List

Service APIs

Bucket APIs

Object APIs

Batch Operation APIs

Data Processing APIs

Job and Workflow

Content Moderation APIs

Cloud Antivirus API

SDK Documentation

SDK Overview

Preparations

Android SDK

C SDK

C++ SDK

.NET(C#) SDK

Flutter SDK

Go SDK

iOS SDK

Java SDK

JavaScript SDK

Node.js SDK

PHP SDK

Python SDK

React Native SDK

Mini Program SDK

Error Codes

Harmony SDK

Endpoint SDK Quality Optimization

Security and Compliance

Data Disaster Recovery

Data Security

Cloud Access Management

FAQs

Hotlink Protection Practice

PDF

Mode fokus

Ukuran font

Terakhir diperbarui: 2025-11-13 17:25:25

Overview
COS allows you to configure hotlink protection for your bucket. You can set a blocklist and allowlist for access sources to prevent resource hotlinking. This document describes how to configure hotlink protection for a bucket.
How Does Hotlink Protection Work
Hotlink protection works by checking the Referer address in the request header:
Referer is a part of the header. When a browser sends a request to a web server, it usually carries a Referer to tell the server which page the request comes from, so that the server can decide to deny or allow the access to resources.
If you open the file link https://examplebucket-1250000000.cos.ap-guangzhou.myqcloud.com/1.jpg directly in a browser, the request header will not have a Referer.
For example, in the figure below, the image 1.jpg is embedded in https://127.0.0.1/test/test.html, and a Referer pointing to the access origin will be carried when you access https://127.0.0.1/test/test.html:
﻿
﻿
Hotlink Protection Case Study
User A uploaded the image resource 1.jpg to COS, and the accessible link to the image is https://examplebucket-1250000000.cos.ap-guangzhou.myqcloud.com/1.jpg.
User A embedded the image in their webpage https://example.com/index.html and the image is accessible.
User B saw the image on user A's webpage and decided to embed it in their own webpage https://b.com/test/test.html, and user B's webpage can also display the image properly.
In the above case, user A's image resource 1.jpg was hotlinked by user B. User A doesn't know that their resource in COS is being used by user B's webpage and suffers from losses caused by extra traffic fees.
Solution
In the above Hotlink Protection Case Study, user A can prevent user B from hotlinking their image by setting hotlink protection in the following way:
1. Set a hotlink protection rule for the bucket "examplebucket-1250000000". There are two options for preventing user B from hotlinking:
Option 1: configure a blacklist by entering the domain name *.b.com, and save it.
Option 2: configure a whitelist, enter *.example.com for the domain name, and save.
2. After hotlink protection is enabled:
The image can be displayed properly when https://example.com/index.html is accessed.
The image cannot be displayed when https://b.com/test/test.html is accessed, as shown below:
﻿
﻿
Directions
1. Log in to the COS Console and click Bucket List on the left sidebar to enter the bucket list page.
2. Select the bucket for which to configure hotlink protection and enter it.
﻿
﻿
3. Click Security Management > Hotlink Protection on the left.
4. In the Hotlink Protection area, click Edit.
﻿
﻿
5. Enable hotlink protection and configure the list type and domain name. Here, select Option 2 as detailed below:
Type: blocklist or allowlist
Blocklist: It prohibits domain names in the list to access the default access address of the bucket. If a domain name in the list accesses the default access address of the bucket, a 403 error will be returned.
Allowlist: It prohibits domain names not in the list to access the default access address of the bucket. If a domain name not in the list accesses the default access address of the bucket, a 403 error will be returned.
Referer : Up to 10 domain names can be set and they will be matched by a prefix. Domain names, IPs, and asterisk * are supported formats (one address per line). Below are configuration rule description and examples:
Domain names and IPs with a specific port are supported, such as example.com:8080 and 10.10.10.10:8080.
If example.com is configured, addresses prefixed with example.com can be hit, such as example.com/123.
If example.com is configured, addresses prefixed with https://example.com and http://example.com can be hit.
If example.com is configured, the domain name with a specific port can also be hit, such as example.com:8080. 
If example.com:8080 is configured, the domain name example.com cannot be hit.
If *.example.com is configured, its second-level and third-level domain names can be restricted, such as example.com, b.example.com, and a.b.example.com.
Note: 
 After hotlink protection is enabled, the corresponding domain names must be entered.
6. After completing the configuration, click Save.
﻿
﻿
FAQs
For questions about hotlink protection, see the Data Security section in COS FAQs.