# oss-network_security Part of **OSS** # Object Storage Service Network Security Console Guide ## Operations Overview | Operation | Console Entry Path | Prerequisites | Description | |----------|-------------------|---------------|-------------| | Enable Hotlink Protection | Console > OSS > Buckets > Bucket Settings > Hotlink Protection | A bucket must already be created; You must have permissions to modify bucket policies | Configure referer-based access control to prevent unauthorized embedding or linking of OSS resources | ## Operation Steps ### Enable Hotlink Protection **Navigation**: Console > OSS > Buckets > Bucket Settings > Hotlink Protection **Prerequisites**: - A bucket must already be created - You must have permissions to modify bucket policies 1. Navigate to the bucket's settings page - Element: **Bucket Settings** (tab) — located in the left navigation panel - Notes: Select the target bucket from the bucket list first if not already open 2. Click on the Hotlink Protection tab - Element: **Hotlink Protection** (tab) — located in the top navigation bar of the bucket settings page - Notes: The page will load the hotlink protection configuration panel 3. Toggle the hotlink protection switch to 'On' - Element: **Switch** (toggle) — located in the main content area - Notes: The switch turns green when enabled. This activates referer checking for all object requests. 4. Enter allowed domains in the field - Element: **Allowed Domains** (text_input) — located in the main content area - Notes: Enter one domain per line. Use wildcards like `*.example.com` to allow all subdomains. Example: `https://www.example.com`, `*.myapp.io` 5. (Optional) Configure empty referer handling - Element: **Block Request with Empty Referer** (checkbox) — located below the allowed domains field - Notes: By default, this checkbox is checked. If enabled, requests that do not include a referer header (e.g., direct browser access) will be blocked. 6. Click Save to apply changes - Element: **Save** (button) — located in the bottom-right corner - Notes: After clicking, wait for the success notification. Changes take effect immediately. | Parameter | Type | Required | Options/Values | Description | |-----------|------|----------|----------------|-------------| | Allowed Domains | text_input | No | — | List of domains permitted to reference your objects. One per line. Use `*` as a wildcard for subdomains (e.g., `*.example.com`). Protocols (http/https) must match actual request origins. | | Block Request with Empty Referer | checkbox | No | — | If checked, requests without a referer header (such as direct URL access in a browser) are denied. Default: checked. | ## FAQ Q: Where can I find the hotlink protection settings in the OSS console? A: Go to the OSS console, select your bucket, then navigate to **Bucket Settings** > **Hotlink Protection** tab. Q: What happens if I leave the "Allowed Domains" field empty after enabling hotlink protection? A: If no domains are specified, all referer-based requests will be blocked—even from your own sites—unless you uncheck "Block Request with Empty Referer" and rely on direct access. Q: Can I modify hotlink protection settings after they’ve been saved? A: Yes. You can return to the Hotlink Protection tab at any time to add/remove domains, toggle the feature off/on, or change the empty referer setting. Q: Does enabling hotlink protection affect API or SDK access to my bucket? A: Yes. Requests made via SDKs or APIs typically do not send a referer header. If "Block Request with Empty Referer" is enabled, such requests may be denied. Consider disabling this option if your application uses programmatic access. Q: Do I need special permissions to configure hotlink protection? A: Yes. Your account must have the `oss:PutBucketReferer` permission to modify hotlink (referer) settings for a bucket. ## Pricing & Billing ### Billing Model Hotlink protection is available at no additional cost. ### Free Tier Hotlink protection is available at no additional cost. ### Quota Limits No usage limits apply to hotlink protection. ### Billing Notes This feature does not incur any charges or affect storage or bandwidth costs.