How do I prevent hotlinking on Amazon S3 without using signed URLs?

后端未结

关注

 7  740

误落风尘 2020-12-24 02:36

Is there any way I can prevent hotlinking on Amazon S3 without using signed URLs?

7条回答

粉色の甜心 (楼主)

2020-12-24 03:26

You need a bucket policy that both allows referrers from your domain(s) and denies referrers who are not from your domains. I've found that images can be hotlinked if you don't include the explicit denial - many guides and examples just give the allow policy and don't mention the deny part.

Here's my policy, just change BUCKET-NAME and YOUR-WEBSITE to your own details:

{
  "Version": "2008-10-17",
  "Id": "",
  "Statement": [
    {
      "Sid": "Allow in my domains",
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::BUCKET-NAME/*",
      "Condition": {
        "StringLike": {
          "aws:Referer": [
            "http://www.YOUR-WEBSITE.com/*"
          ]
        }
      }
    },
    {
      "Sid": "Deny access if referer is not my sites",
      "Effect": "Deny",
      "Principal": {
        "AWS": "*"
      },
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::BUCKET-NAME/*",
      "Condition": {
        "StringNotLike": {
          "aws:Referer": [
            "http://www.YOUR-WEBSITE.com/*"
          ]
        }
      }
    }
  ]
}

0 讨论(0)

查看其它7个回答