This document describes how to use the hotlink protection capabilities provided by EdgeOne to protect your content against unauthorized hotlinking and improve the security of acceleration services.
Background
Hotlinking can result in other websites or applications directly using your resources, consuming your bandwidth and server resources, and may even lead to the misuse or unauthorized distribution of your content, harming your brand image and reputation. EdgeOne supports a range of hotlink protection capabilities to ensure that only authorized users can access and use your content, protecting your content's security.
Implementation Method
HTTP response: Implements basic access control such as IP blocklist/allowlist, Referer blocklist/allowlist, UA blocklist/allowlist, and regional access control. For details, see HTTP Response. Token authentication: Timestamp hotlink protection, which is more secure and reliable. For details, see Token Authentication. Edge functions: Customizable hotlink protection capabilities such as remote authentication can be supported through Edge Functions. Directions
Referer Hotlink Protection
Setting access control rules based on the Referer field in the HTTP request header helps identify and filter visitors, preventing illegal use of website resources. After the Referer blocklist/allowlist is configured, EdgeOne will authenticate requests based on the list, allowing or denying access requests. If the request is allowed, EdgeOne will return the resource link; if denied, EdgeOne will return a 403 response code.
Configuration Samples
For your site example.com
, if you only allow access to the domain business www.example.com
with the Referer set to https://www.example.com
, and deny other requests directly with a 403 response, you can follow these steps:
1. Log in to the EdgeOne console and click Site List in the left sidebar. Subsequently, in the Site List, click the Site you want to configure. 2. On the site details page, click Site Acceleration to enter the global configuration page for the site. Then, click the Rule Engine tab.
3. On the Rule Engine page, click Create rule, and then select Add blank rule.
3.1 On the rule editing page, set the matching type to HOST equal to www.example.com
, and set the matching type HTTP Request Header Referer's header value not equal to https://www.example.com
.
3.2 Click Action, and in the pop-up operation list, select the operation as HTTP Response.
3.3 Configure the response status code as 403. Select the response page from the drop-down list. If no page is available, you need to click Create Page to create one first and then reference it.
4. The complete rule configuration is as demonstrated below. By clicking Save and publish, the rule configuration will be completed.
IP Blocklist/Allowlist
By configuring the IP blocklist/allowlist to filter user requests, you can intercept or allow access from specific IP addresses, effectively limiting access sources and addressing issues such as hotlinking by malicious IP addresses and attacks.
Configuration Samples
For your site example.com
, if you only allow access from client IP addresses within the range of 1.1.2.1 to 1.1.2.254 (including 1.1.2.1 and 1.1.2.254) to the domain business www.example.com
, and deny other access directly with a 403 response, you can follow these steps:
1. Log in to the EdgeOne console and click Site List in the left sidebar. Subsequently, in the Site List, click the Site you want to configure. 2. On the site details page, click Site Acceleration to enter the global configuration page for the site. Then, click the Rule Engine tab.
3. On the Rule Engine page, click Create rule, and then select Add blank rule.
3.1 On the rule editing page, set the matching type to HOST equal to www.example.com
, and set the matching type client IP equal to 1.1.2.0/24
.
3.2 Click Action, and in the pop-up operation list, select the operation as HTTP Response.
3.3 Configure the response status code as 403. Select the response page from the drop-down list. If no page is available, you need to click Create Page to create one first and then reference it.
4. The complete rule configuration is as demonstrated below. By clicking Save and publish, the rule configuration will be completed.
UA Blocklist/Allowlist
User-Agent is part of the HTTP request header, which identifies the operating system and version and the browser type and version used by the user for accessing. You can configure the User-Agent blocklist/allowlist to restrict the sources of users accessing business resources and enhance the security of acceleration.
Configuration Samples
The domain business www.example.com
under your example.com
site is maliciously crawled by Google crawlers, causing a sudden bandwidth increase and severely impacting fees. Through analysis, it was found that the crawler request's User-Agent contains spider
. If you want to block such requests, you can follow these steps:
1. Log in to the EdgeOne console and click Site List in the left sidebar. Subsequently, in the Site List, click the Site you want to configure. 2. On the site details page, click Site Acceleration to enter the global configuration page for the site. Then, click the Rule Engine tab.
3. On the Rule Engine page, click Create rule, and then select Add blank rule.
3.1 On the rule editing page, set the matching type to HOST equal to www.example.com
.
3.2 Click Action, and in the pop-up operation list, select the operation as HTTP Response, and set the matching type to HTTP Request Header User-Agent with a regular expression match for the header value *spider*
.
3.3 Configure the response status code as 403. Select the response page from the drop-down list. If no page is available, you need to click Create Page to create one first and then reference it.
4. The complete rule configuration is as demonstrated below. By clicking Save and publish, the rule configuration will be completed.
Token Authentication
Token authentication is a simple and highly reliable access control policy. By configuring authentication rules for URL access validation, it can effectively prevent malicious hotlinking of site resources. The use of this feature requires cooperation between the client and EdgeOne. The client is responsible for initiating encrypted URL requests, and EdgeOne is responsible for legitimacy verification of the URL based on predefined rules. For detailed configuration and usage, refer to Token Authentication. Remote Authentication
If you have your own authentication server, you can configure remote authentication to forward user requests to the authentication server you specify. The server then validates the requests. This method is suitable for scenarios requiring precise access control and real-time authentication. EdgeOne can achieve remote authentication capability through edge functions. For sample functions, refer to Remote Authentication.
Was this page helpful?