5 Effective Anti-Hotlinking Techniques: Nginx, SpringBoot, Tokens, Timestamps & Captchas

Hotlinking (anti-leech) is a common threat where attackers use crawlers to copy popular images, videos, etc., from major platforms and serve them on their own sites, earning profit without providing original resources.

Popular platforms therefore employ anti-leech (防盗链) mechanisms to protect their resources. Below are several common implementations.

1. Nginx Implementation

HTTP requests contain a Referer header indicating the page that linked to the resource. By configuring Nginx to validate this header against a whitelist, unauthorized requests can be blocked.

<code>location ~*\.(gif|jpg|png|jpeg)$ {
    root /web;
    valid_referers none blocked www.longxiabiancheng.com;
    if ($invalid_referer) {
        return 403;
    }
}</code>

This method blocks most casual hotlinking but can be bypassed by forging the Referer header.

2. SpringBoot Filter Implementation

A servlet filter can read the Referer header and compare it with an allowed domain, rejecting the request if it does not match.

<code>public class MyResourceFilter implements Filter {
    @Override
    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain)
            throws IOException, ServletException {
        HttpServletRequest request = (HttpServletRequest) servletRequest;
        HttpServletResponse response = (HttpServletResponse) servletResponse;
        String referer = request.getHeader("Referer");
        String allowedDomain = "https://www.longxiabiancheng.com";
        if (StringUtils.isEmpty(referer) || !referer.startsWith(allowedDomain)) {
            response.getWriter().write("longxiabiancheng");
            return;
        }
    }
}</code>

Like Nginx, this approach can be evaded by spoofing the Referer.

3. Token Validation

After a user logs in, the server issues a token that must accompany subsequent requests; missing or invalid tokens cause the request to be denied.

However, attackers can first obtain a valid token via the login API and reuse it, thus bypassing this protection.

4. Timestamp Verification

Legitimate users typically spend a measurable amount of time on a page, whereas bots act quickly. The server can issue a timestamp to the client, which the client returns on the next request; the server compares it with the current time.

<code>private boolean checkTime(HttpServletRequest request, HttpServletResponse response) {
    //获取时间戳
    String timestampStr = request.getParameter("timestamp");
    try {
        if (timestampStr == null) {
            response.getWriter().write("不可以继续访问哦");
            return false;
        }
        long timestamp = Long.parseLong(timestampStr);
        long currentTimestamp = new Date().getTime();
        //如果停留的时间大约指定的时间  就认为不是机器
        if (Math.abs(currentTimestamp - timestamp) < 500) {
            response.getWriter().write("不可以继续访问哦!");
            return false;
        }
        return true;
    } catch (Exception e) {
        return false;
    }
}</code>

This method may produce false positives when users briefly view a page.

5. Captcha Verification

Graphical captchas require manual user interaction before downloading resources, preventing most automated crawlers.

While effective against simple bots, captchas do not guarantee complete protection.

Overall, anti-leech measures increase the difficulty of stealing resources but cannot achieve 100% protection; sophisticated attackers can still mimic legitimate users. Large companies often combine these techniques with big‑data analysis to blacklist abnormal behavior.