Static Hosting Security Configuration
The security configuration for Static Hosting provides a comprehensive security protection mechanism for the cloud development static hosting service, helping developers effectively protect website resources and prevent malicious access and resource theft. By properly configuring the following security options, you can significantly enhance the security of your static website:
- Hotlink Protection Configuration - Control Resource Access Sources
- IP Allowlist and Blocklist Configuration - Precisely Managing Access Permissions
- IP Access Frequency Limit Configuration - Prevent Malicious High-Frequency Requests
Hotlink Protection Configuration
The hotlink protection feature determines the legitimacy of access by identifying the request source (Referer), effectively preventing unauthorized hotlinking of resources by other websites and safeguarding your bandwidth and traffic resources.
Configuration Steps
- In the Cloud Development Console, go to Environment Configuration - Security Control to access the Static Hosting Security Configuration page.
- Enable the Hotlink Protection feature
- Select Hotlink Protection policy:
- Blocklist Mode: Except for the sources in the list, all other sources are allowed to access.
- Allowlist Mode: Only sources within the list are allowed to access; all others are denied.
Configuration Rules Instructions
- Source Referer supports multiple entries, one per line, separated by newline characters.
- Supports domain names or IP addresses in formats such as
example.comand192.168.0.1 - Supports wildcards () to match subdomains, such as `.cloudbase.net
and*.example.com` - Supports path matching, such as
example.com/path/*
Handling Empty Referer
You can choose whether to allow access with empty Referer:
- Allowed Empty Referer: Access is permitted when there is no Referer information, such as when directly accessing via address bar input or in certain special requests.
- Disallow Empty Referer: Reject all requests without source information.
Application Scenarios
- Prevent static resources such as images and videos from being directly linked by other websites
- Protect proprietary website content from being embedded by unauthorized third parties
- Control content distribution channels to ensure resources are displayed only on authorized websites
IP Allowlist and Blocklist Configuration
The IP allowlist and blocklist feature allows you to precisely control which IP addresses or network segments can access your static website resources, which is an important means to safeguard website security.
Configuration Steps
- In the Cloud Development Console, go to Environment Configuration - Security Control to access the Static Hosting Security Configuration page.
- Enable the IP allowlist and blocklist feature
- Select IP control policy:
- Blocklist Mode: Block access from IPs in the list, while all other IPs are allowed to access.
- Allowlist Mode: Only IPs in the list are allowed to access; all others are denied.
Configuration Rules Instructions
- Supports adding multiple IP addresses or network segments, with one entry per line separated by line breaks.
- Single IP format:
192.168.0.1 - IP network segment format (CIDR notation):
192.168.0.0/24(indicating all IPs in the range 192.168.0.0-192.168.0.255) - Supports IPv4 and IPv6 address formats
Application Scenarios
- Restrict access to the management console only from company private IP addresses
- Block known malicious IPs from accessing website resources
- Access control for specific regions or network operators
- When creating a test environment, restrict access to only the development team
IP Access Frequency Limit Configuration
The access frequency limiting feature effectively prevents high-frequency access behaviors such as malicious crawlers and DDoS attacks by restricting the total number of requests from a single IP to static hosting resources within a specific time period, ensuring the stable operation of the website.
⚠️ Note: IP access frequency limiting applies to the total number of requests for static hosting resources, rather than the number of requests for individual files.
Configuration Steps
- In the Cloud Development Console, go to Environment Configuration - Security Control to access the Static Hosting Security Configuration page.
- Enable the IP access frequency limiting feature
- Set the QPS (queries per second) threshold. It is recommended to configure this reasonably based on the number of page resources.
Detailed Explanation of Rate Limiting Mechanism
Computation Principle
- The system tallies the access frequency to all static hosting resources on a per-IP basis.
- Each static resource request (HTML, CSS, JS, images, etc.) is independently counted towards the access count of that IP.
- When the access frequency of a single IP exceeds the set threshold, excess requests will be denied (returning a 514 status code).
- The rate limiting calculation employs a sliding time window algorithm to precisely control access frequency.
Case Study
Assume your web page contains the following resources:
- 1 HTML file (index.html)
- 3 CSS files
- 5 JS files
- 10 image files
When a user visits this page, the browser initiates 19 requests (1+3+5+10) to load all resources.
Configuration Example:
- If the QPS limit is set to 2 requests/second, 17 requests will be denied during page loading, resulting in abnormal page display.
- If the QPS limit is set to 20 requests/second, the page can be fully loaded without issues.
- It is recommended to set an appropriate QPS value based on the maximum number of page resources, typically 1.5-2 times the number of page resources.
QPS Setting Recommendations
| Page Type | Average Number of Resources | Recommended QPS Setting | Description |
|---|---|---|---|
| Simple Pages | 5-10 | 20-30 | Basic HTML + a small amount of CSS/JS |
| Regular Websites | 15-30 | 50-80 | Includes images, styles, scripts, etc. |
| Rich Media Pages | 50+ | 100-200 | Numerous images, videos, complex interactions |
Application Scenarios
- Prevent malicious crawlers from mass scraping website content
- Mitigate simple DDoS attacks
- Protect static resources from excessive access
- Prevent abuse of resource downloading
Frequently Asked Questions
Q: Why does a 514 error appear during page loading?
A: Possibly the QPS setting is too low, causing page resource requests to exceed the limit. It is recommended to check the number of page resources and appropriately increase the QPS threshold.
Q: How to determine the appropriate QPS value?
A: You can use browser developer tools to check the number of resources loaded on the page, then set it to 1.5-2 times that number as the initial value, and adjust based on actual access conditions.
Best Practices
Security Configuration Combination Policy
Depending on different application scenarios, you can combine the above security configurations to build a multi-layered security protection system:
Public Website:
- Enable hotlink protection (allowlist mode), allowing empty Referer
- Enable IP blocklist to block known malicious IPs
- Set an appropriate access frequency limit threshold (e.g., 100-300 QPS)
Internal Enterprise Applications:
- Enable IP allowlist to only allow access from corporate networks.
- Enable hotlink protection (allowlist mode), disallowing empty Referer
- Set a higher access frequency limit threshold
Resource Distribution Website:
- Strict hotlink protection allowlist configuration
- Appropriate IP access frequency limiting
- Configure specific access control rules for frequently downloaded resources
Monitoring and Adjustment
Regularly check access logs and security configuration effectiveness, adjusting security policies based on actual conditions:
- Analyze rejected request patterns to identify potential security threats
- Adjust access frequency limit thresholds as needed based on business growth
- Regularly update IP allowlists and blocklists, removing outdated rules
By properly configuring the security options for Static Hosting, you can effectively protect website resources, enhance access experience, and reduce security risks.