Configuring URL Validation to Prevent Unauthorized Access to Your Data

OBS blocks access requests from blacklisted URLs and allows those from whitelisted URLs.

Scenarios

Some rogue websites may steal links from other websites to enrich their content without any costs. Link stealing hurts the interests of the original websites and it is also a strain on their servers. URL validation is designed to address this issue.

In HTTP, the Referer field allows websites and web servers to identify where people are visiting them from. URL validation of OBS utilizes this Referer field. The idea is that once you find that a request to your resource is not originated from an authorized source, you can have the request blocked or redirected to a specific web page. This way, OBS prevents unauthorized access to data stored in buckets.

Referers can be configured using a whitelist or blacklist.

Referer Rules

The total length of the Referers in a whitelist or blacklist cannot exceed 1,024 characters.
Referer format:
- You can enter multiple Referers, with each one on a separate line.
- A Referer can contain wildcards (*) and question marks (?). A wildcard can match zero or more characters and a question mark (?) can match a single character.
- If the Referer header contains http or https during a download, the Referer configuration must also contain http or https.
If the Referer whitelist is empty while the blacklist is not, all websites except those listed in the blacklist are allowed to access the target bucket.
If the Referer whitelist is not empty, regardless of whether the blacklist is empty or not, only websites that appear in the whitelist and do not appear in the blacklist are allowed to access the target bucket.
If a Referer appears in both the whitelist and the blacklist, that Referer is denied. For example, if both the whitelist and the blacklist contain https://www.example.com, requests from that website will be blocked.
If both the Referer whitelist and blacklist are empty, all websites are allowed to access the target bucket by default.
Before determining whether a user has the four types of permissions (read, write, ACL read, and ACL write) for a bucket and its objects, check whether this user complies with the URL validation rules defined in the Referer field.
The Referer supports wildcard domain names.

Prerequisites

Static website hosting has been enabled.

Ways to Configure URL Validation

You can use OBS Console or APIs to configure URL validation.

Using OBS Console

In the navigation pane of OBS Console, choose Buckets.
In the bucket list, click the bucket you want to operate. The Objects page is displayed.
In the navigation pane, choose Data Security > URL Validation.
Click next to the text box of Whitelisted Referers or Blacklisted Referers and enter the Referers.

Principles for setting Referers:
- The total length of the Referers in a whitelist or blacklist cannot exceed 1,024 characters.
- Referer format:
  - You can enter multiple Referers, with each one on a separate line.
  - A Referer can contain wildcards (*) and question marks (?). A wildcard can match zero or more characters and a question mark (?) can match a single character.
  - If the Referer header contains http or https during a download, the Referer configuration must also contain http or https.
- If the Referer whitelist is empty while the blacklist is not, all websites except those listed in the blacklist are allowed to access the target bucket.
- If the Referer whitelist is not empty, regardless of whether the blacklist is empty or not, only websites that appear in the whitelist and do not appear in the blacklist are allowed to access the target bucket.
- If a Referer appears in both the whitelist and the blacklist, that Referer is denied. For example, if both the whitelist and the blacklist contain https://www.example.com, requests from that website will be blocked.
- If both the Referer whitelist and blacklist are empty, all websites are allowed to access the target bucket by default.
- Before determining whether a user has the four types of permissions (read, write, ACL read, and ACL write) for a bucket and its objects, check whether this user complies with the URL validation rules defined in the Referer field.
- The Referer supports wildcard domain names.
Click to save the settings.

Using APIs

Configure a URL validation whitelist

Parent Topic: Data Security

Previous topic: Configuring CORS to Allow Cross-Origin Access to OBS

Next topic: Configuring Access Control with Both VPC Endpoint Policies and OBS Bucket Policies

Feedback

Was this page helpful?

Helpful Not helpful

Provide feedback

Thank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.

The system is busy. Please try again later.

For any further questions, feel free to contact us through the chatbot.

Chatbot