百度智能云

All Product Document

          Object Storage

          Hotlink Protection

          Introduction

          Website A stores its static resources such as pictures or videos on the BOS of Baidu AI Cloud storage. Without permission of Website A, Website B uses the image or video resources of Website A and place them in its own website. Because BOS is charged according to the usage amount, so Website B steals the space and flow of Website A, while A does not get any benefit but undertakes the resource usage fee. The behavior that B embezzles resources of A and put them on its own website is called hotlink protection.

          Principle

          The main method of hotlink protection is to limit the reference page. There are two ways to set the referer hotlink protection and the signed URL hotlink protection.

          • The principle of setting the Referer hotlink protection is to compare Referer attribute in the Header of html request (save which URL sends the request to the server) with the whitelist approved by the server. If consistent, it indicates that it is an in-station request or a site request trusted by itself. Otherwise, it is regarded as a hotlink.
          • However, Referer attribute can be tampered maliciously. In this case, the hotlink protection can be implemented by signing URL.

          What Is Referer

          Referer is a parameter of the HTTP request header. In different scenarios, Referer attribute of the HTTP request header will differ:

          • Direct access to server-side resources: That is, the browser directly requests the BOS resources, and the HTTP request does not contain Referer attribute
          • Refer to BOS resources in site A: The browser accesses the index page of test.com, which references the BOS resources. When the browser requests resources from BOS, the HTTP request header contains Referer attribute, which indicates that the http://test.com/index page references the resource.

          Test Results of Different Referer Settings

          In order to test the function of the hotlink protection, two websites need to be built. The domain names are the source website test.com and the hotlink chain website test-steel.com. An index page is deployed under the two websites, which references the image resources of BOS. The code is as follows:

          Please see Set Referer Whitelist for the operation and principle of configuring bucket. The following details the different test results corresponding to different settings:

          • Set the bucket access control to "do not allow Refer null" and set Referer whitelist at the same time, which can realize the hotlink protection.

          image.png

          The test results are as follows:

          Browser input Description Result
          http://bos-test-f.bj.bcebos.com/bos.jpg Direct access, null Referer Null Referer request not allowed, return 403
          http://test.com/index The request comes from the source, Referer is not null Visit successful
          http://test-steal.com/index The request comes from the hotlink website BOS returns 403, and the hotlink protection is successful.
          • By setting "allow Referer null" and also setting Referer whitelist, the hotlink protection can be realized.

            The test results are as follows:

            Browser input Description Result
            http://bos-test-f.bj.bcebos.com/bos.jpg Direct access, null Referer Visit successful
            http://test.com/index The request comes from the source, Referer is not null Visit successful
            http://test-steal.com/index The request comes from the hotlink website BOS returns 403, and the hotlink protection is successful.
          • By setting only the bucket's access control to "do not allow Referer null", and the hotlink protection cannot be realized, so this configuration is not recommended.

            image.png

            The test results are as follows:

            Browser input Description Result
            http://bos-test-f.bj.bcebos.com/bos.jpg Direct access, null Referer. Null Referer request not allowed, return 403
            http://test.com/index The request comes from the source, Referer is not null Visit successful
            http://test-steal.com/index The request comes from the hotlink website, but Referer is not null Access successful.

          Advantages and Disadvantages of Referer hotlink protection

          The advantage of Referer hotlink protection is that it is easy to set up and the console can be operated. The disadvantage is that it can't prevent malicious forgery of Referer. If the forgery of Referer is simulated by an application program, the user's hotlink protection setting will be bypassed. For higher requirements for the hotlink protection, it needs to implement the hotlink protection through the signed URL.

          The principle of signed URL hotlink protection is to set the file as private access, and then generate a pre-signed URL to provide users with a temporary access UEL. When the pre-signed URL is generated, users can be restricted from long-term access by specifying the effective length of URL. If you call the Java SDK to implement the pre-signed URL, please see Get URL of Object.

          The signed URL hotlink protection uses nodejs' sails framework to call the javascript SDK of BOS to realize this function. You can specify the expiration time of URL expirationInSeconds in the code. The specific implementation code is as follows:

          var BosClient = require("@baiducloud/sdk").BosClient;
          
          module.exports = {
              
              showImage:function(req,res){
                  var config = {
                    endpoint: "http://bj.bcebos.com",
                    credentials: {
                        ak: "AK",     //Your AK
                        sk: "SK"      //Your SK
                    }
                  };
          
                  var client = new BosClient(config);
                  
                  var bucketName = "bos-test-f";
                  var key = "bos.jpg";
                  var timestamp = Date.now() / 1000;
                  var expirationInSeconds = 1800;
                  var headers = {};
                  var params = {};
                  var headersToSign = {};
                  
                  var signedUrl = client.generatePresignedUrl(bucketName, key, timestamp, expirationInSeconds, headers, params, headersToSign, config);
                  
                  return res.view("image", {signedUrl : signedUrl});
              }
          };

          Specify the address of the image resource as the signed URL:

          Hi Test 
          img(src="#{signedUrl}") 

          Test Results

          As shown in the figure, each time you visit the page, a signed URL will be regenerated to access the BOS resources. The signed URL has an expiration time. If it expires, 403 error will be returned to deny access, so as to realize the hotlink protection.

          • Unexpired signed URL results
          • Expired access denied results
          Previous
          Data Cloudification Plan
          Next
          Acceleration of BOS by CDN