How to restrict object access based on HTTP referer header?
    • 18 Dec 2023
    • 1 Minute to read
    • PDF

    How to restrict object access based on HTTP referer header?

    • PDF

    Article summary

    If you would like for your Wasabi bucket to be public, but only to users who are requesting objects from a specific website, or when specific HTTP headers are present in the request, we can add a string requirement to the bucket policy specifying which HTTP headers must be present. A good use-case for this example would be that you own a website where the images, videos, etc for the site are stored on a Wasabi bucket. The following bucket policy makes use of the "Allow" effect to grant public access for this bucket when requests are coming from the site 'example.com'.

    {
    "Version":"2012-10-17",
    "Statement":[
    {
    "Sid":"AllowRequestHTTPHeader",
    "Effect":"Allow",
    "Principal":"*",
    "Action":["s3:GetObject","s3:GetObjectVersion"],
    "Resource":"arn:aws:s3:::wasabibucket1/*",
    "Condition":{
    "StringLike":{"aws:Referer":["http://www.example.com/*","http://example.com/*"]}
    }
    }
    ]
    }

    Please note:

    -The web browser must pass along the HTTP header request for this policy to function properly

    This policy does not restrict any access to the bucket, but instead only grants access. If you wish to prevent any GET access to the bucket UNLESS it contains a specific HTTP header, then we would need to make a DENY policy. To do this, we can use DENY with a StringNotLike condition:

    {
    "Version":"2012-10-17",
    "Statement":[
    {
    "Sid":"AllowOnlyRequestsHTTPHeader",
    "Effect":"Deny",
    "Principal":"*",
    "Action":["s3:GetObject","s3:GetObjectVersion"],
    "Resource":"arn:aws:s3:::wasabibucket1/*",
    "Condition":{
    "StringNotLike":{"aws:Referer":["http://www.example.com/*","http://example.com/*"]}
    }
    }
    ]
    }