Hotlink Protection
Introduction
Website A stores its static resources such as pictures or videos on the BOS of Baidu AI Cloud storage. Without permission of Website A, Website B uses the image or video resources of Website A and place them in its own website. Because BOS is charged according to the usage amount, so Website B steals the space and flow of Website A, while A does not get any benefit but undertakes the resource usage fee. The behavior that B embezzles resources of A and put them on its own website is called hotlink protection.
Principle
The main method of hotlink protection is to limit the reference page. There are two ways to set the referer hotlink protection and the signed URL hotlink protection.
- The principle of setting the Referer hotlink protection is to compare Referer attribute in the Header of html request (save which URL sends the request to the server) with the whitelist approved by the server. If consistent, it indicates that it is an in-station request or a site request trusted by itself. Otherwise, it is regarded as a hotlink.
- However, Referer attribute can be tampered maliciously. In this case, the hotlink protection can be implemented by signing URL.
Configure the Hotlink Protection of BOS
Set up Referer Hotlink Protection Chain
What Is Referer
Referer is a parameter of the HTTP request header. In different scenarios, Referer attribute of the HTTP request header will differ:
- Direct access to server-side resources: That is, the browser directly requests the BOS resources, and the HTTP request does not contain Referer attribute
- Refer to BOS resources in site A: The browser accesses the index page of test.com, which references the BOS resources. When the browser requests resources from BOS, the HTTP request header contains Referer attribute, which indicates that the
http://test.com/index
page references the resource.
Test Results of Different Referer Settings
In order to test the function of the hotlink protection, two websites need to be built. The domain names are the source website test.com and the hotlink chain website test-steel.com. An index page is deployed under the two websites, which references the image resources of BOS. The code is as follows:
Please see Set Referer Whitelist for the operation and principle of configuring bucket. The following details the different test results corresponding to different settings:
- Set the bucket access control to "do not allow Refer null" and set Referer whitelist at the same time, which can realize the hotlink protection.
The test results are as follows:
Browser input | Description | Result |
---|---|---|
http://bos-test-f.bj.bcebos.com/bos.jpg |
Direct access, null Referer | Null Referer request not allowed, return 403 |
http://test.com/index |
The request comes from the source, Referer is not null | Visit successful |
http://test-steal.com/index |
The request comes from the hotlink website | BOS returns 403, and the hotlink protection is successful. |
-
By setting "allow Referer null" and also setting Referer whitelist, the hotlink protection can be realized.
The test results are as follows:
Browser input Description Result http://bos-test-f.bj.bcebos.com/bos.jpg
Direct access, null Referer Visit successful http://test.com/index
The request comes from the source, Referer is not null Visit successful http://test-steal.com/index
The request comes from the hotlink website BOS returns 403, and the hotlink protection is successful. -
By setting only the bucket's access control to "do not allow Referer null", and the hotlink protection cannot be realized, so this configuration is not recommended.
The test results are as follows:
Browser input Description Result http://bos-test-f.bj.bcebos.com/bos.jpg
Direct access, null Referer. Null Referer request not allowed, return 403 http://test.com/index
The request comes from the source, Referer is not null Visit successful http://test-steal.com/index
The request comes from the hotlink website, but Referer is not null Access successful.
Advantages and Disadvantages of Referer hotlink protection
The advantage of Referer hotlink protection is that it is easy to set up and the console can be operated. The disadvantage is that it can't prevent malicious forgery of Referer. If the forgery of Referer is simulated by an application program, the user's hotlink protection setting will be bypassed. For higher requirements for the hotlink protection, it needs to implement the hotlink protection through the signed URL.
Configure Signed URL hotlink protection
The principle of signed URL hotlink protection is to set the file as private access, and then generate a pre-signed URL to provide users with a temporary access UEL. When the pre-signed URL is generated, users can be restricted from long-term access by specifying the effective length of URL. If you call the Java SDK to implement the pre-signed URL, please see Get URL of Object.
The signed URL hotlink protection uses nodejs' sails framework to call the javascript SDK of BOS to realize this function. You can specify the expiration time of URL expirationInSeconds
in the code. The specific implementation code is as follows:
var BosClient = require("@baiducloud/sdk").BosClient;
module.exports = {
showImage:function(req,res){
var config = {
endpoint: "http://bj.bcebos.com",
credentials: {
ak: "AK", //Your AK
sk: "SK" //Your SK
}
};
var client = new BosClient(config);
var bucketName = "bos-test-f";
var key = "bos.jpg";
var timestamp = Date.now() / 1000;
var expirationInSeconds = 1800;
var headers = {};
var params = {};
var headersToSign = {};
var signedUrl = client.generatePresignedUrl(bucketName, key, timestamp, expirationInSeconds, headers, params, headersToSign, config);
return res.view("image", {signedUrl : signedUrl});
}
};
Specify the address of the image resource as the signed URL:
Hi Test
img(src="#{signedUrl}")
Test Results
As shown in the figure, each time you visit the page, a signed URL will be regenerated to access the BOS resources. The signed URL has an expiration time. If it expires, 403 error will be returned to deny access, so as to realize the hotlink protection.
- Unexpired signed URL results
- Expired access denied results