How to restrict object access based on HTTP referer header?

Updated on 18 Dec 2023
1 Minute to read

Article summary

Did you find this summary helpful?

Thank you for your feedback

If you would like for your Wasabi bucket to be public, but only to users who are requesting objects from a specific website, or when specific HTTP headers are present in the request, we can add a string requirement to the bucket policy specifying which HTTP headers must be present. A good use-case for this example would be that you own a website where the images, videos, etc for the site are stored on a Wasabi bucket. The following bucket policy makes use of the "Allow" effect to grant public access for this bucket when requests are coming from the site 'example.com'.

{
"Version":"2012-10-17",
"Statement":[
{
"Sid":"AllowRequestHTTPHeader",
"Effect":"Allow",
"Principal":"*",
"Action":["s3:GetObject","s3:GetObjectVersion"],
"Resource":"arn:aws:s3:::wasabibucket1/*",
"Condition":{
"StringLike":{"aws:Referer":["http://www.example.com/*","http://example.com/*"]}
}
}
]
}

Please note:

-The web browser must pass along the HTTP header request for this policy to function properly

This policy does not restrict any access to the bucket, but instead only grants access. If you wish to prevent any GET access to the bucket UNLESS it contains a specific HTTP header, then we would need to make a DENY policy. To do this, we can use DENY with a StringNotLike condition:

{
"Version":"2012-10-17",
"Statement":[
{
"Sid":"AllowOnlyRequestsHTTPHeader",
"Effect":"Deny",
"Principal":"*",
"Action":["s3:GetObject","s3:GetObjectVersion"],
"Resource":"arn:aws:s3:::wasabibucket1/*",
"Condition":{
"StringNotLike":{"aws:Referer":["http://www.example.com/*","http://example.com/*"]}
}
}
]
}

What's Next

How do I whitelist Wasabi service URLs in my firewall?