Static Hosting Security Configuration
Security configuration for static hosting provides comprehensive security protection mechanisms for CloudBase's static hosting service, helping developers effectively protect website resources and prevent malicious access and resource theft. By properly configuring the following security options, you can significantly enhance the security of your static website.
- Hotlink Protection Configuration - Control resource access sources
- IP Allowlist and Blocklist Configuration - Precise management of access permissions
- IP Access Rate Limiting Configuration - Prevent malicious high-frequency requests
Hotlink Protection Configuration
The Hotlink Protection feature determines access legitimacy by identifying request sources (Referer), effectively preventing unauthorized resource referencing by other websites and safeguarding your bandwidth and traffic resources.
Configuration Steps
- In the CloudBase Console, navigate to the static hosting security configuration page via [Environment Configuration] - [Security Management].
- Enable the Hotlink Protection switch
- Select a hotlink protection policy:
- Blocklist mode: All sources except those in the list are allowed access.
- Allowlist mode: Only sources within the list are allowed access; all others are denied.
Configuration Rules Description
- Source Referer supports multiple entries, one per line, separated by line breaks.
- Supports domain name or IP format, such as:
example.com,192.168.0.1 - Supports wildcard () for matching subdomains, such as: `.cloudbase.net
,*.example.com` - Supports path matching, such as:
example.com/path/*
Handling Empty Referer
You can choose whether to allow access with empty Referer:
- Allow Empty Referer: Allow access for direct access (e.g., entering URL in the address bar) or when certain special requests contain no Referer information.
- Disallow Empty Referer: Deny all requests without referer information.
Application Scenarios
- Prevent static resources such as images and videos from being directly referenced by other websites
- Protect proprietary website content from being embedded by unauthorized third parties
- Control content distribution channels to ensure resources are only displayed on authorized websites
IP Allowlist and Blocklist Configuration
The IP allowlist and blocklist feature allows you to precisely control which IP addresses or network segments can access your static website resources, serving as a critical measure for website security.
Configuration Steps
- In the CloudBase Console, navigate to the static hosting security configuration page via [Environment Configuration] - [Security Management].
- Enable the IP allowlist and blocklist feature
- Select an IP control policy:
- Blocklist mode: Block access from IP addresses in the list and allow all other IP addresses.
- Allowlist mode: Only IP addresses in the list are allowed access; all others are denied.
Configuration Rules Description
- Supports adding multiple IP addresses or network segments, with one entry per line separated by line breaks.
- Single IP format:
192.168.0.1 - IP network segment format (CIDR notation):
192.168.0.0/24(represents all IPs in the range 192.168.0.0-192.168.0.255) - Supports IPv4 and IPv6 address formats
Application Scenarios
- Restrict management console access to corporate intranet IP addresses only
- Block known malicious IP addresses from accessing website resources.
- Implement access control for specific regions or network operators.
- Restrict access to the development team only when creating a test environment.
IP Access Rate Limiting Configuration
The access rate limiting feature effectively prevents high-frequency access behaviors such as malicious crawlers and DDoS attacks by restricting the number of requests from a single IP within a specific time period, ensuring stable website operation.
Configuration Steps
- In the CloudBase Console, navigate to the static hosting security configuration page via [Environment Configuration] - [Security Management].
- Enable the IP access rate limiting feature
- Set the QPS (Queries Per Second) threshold, e.g., 100 requests/second.
Rate Limiting Mechanism Description
- The system tracks access frequency on a per-IP basis.
- When the access frequency of a single IP exceeds the set threshold, excess requests will be rejected (returning a 429 Too Many Requests status code)
- Rate limiting uses a sliding time window algorithm to precisely control access frequency.
Application Scenarios
- Prevent malicious crawlers from scraping website content in large quantities
- Defend against simple DDoS attacks
- Protect API endpoints from excessive calls
- Prevent resource download abuse
Best Practices
Composite Security Configuration Policy
Depending on different application scenarios, the above security configurations can be combined to build a multi-layered security protection system:
Public Website:
- Enable hotlink protection (allowlist mode) and allow empty Referer
- Enable IP blocklist to block known malicious IP addresses
- Set an appropriate access rate limit threshold (e.g., 100-300 QPS)
Internal Enterprise Application:
- Enable IP allowlist to only allow enterprise network access
- Enable hotlink protection (allowlist mode) and do not allow empty Referer
- Set a higher access rate limit threshold
Resource Distribution Website:
- Strict hotlink protection allowlist configuration
- Appropriate IP access rate limiting
- Set special access control rules for high-frequency download resources
Monitoring and Adjustment
Regularly check access logs and security configuration effectiveness, and adjust security policies based on actual conditions:
- Analyze the pattern of denied requests to identify potential security threats.
- Adjust the access rate limit threshold as business grows
- Regularly update the IP blocklist and allowlist, and remove outdated rules
By properly configuring static hosting security options, you can effectively protect website resources, enhance access experience, and reduce security risks.