SpringBoot vs Nginx: Five Implementation Options vs One Directive – Which Is the True Anti‑Hotlinking Champion?

What Is Anti‑Hotlinking?

Anti‑hotlinking prevents other sites from directly linking to your resources, which would consume your server bandwidth. The core idea is to check the HTTP Referer header and allow only requests from whitelisted domains.

“盗链就是别人不劳而获，占用你服务器的流量和资源。”

Nginx One‑Directive Solution

The simplest and most efficient method is to let Nginx handle the check during the request processing phase, avoiding any Java‑level overhead.

location ~* \.(gif|jpg|png|jpeg)$ {
    root /web;
    valid_referers none blocked *.ttlsa.com server_names ~\.google\. ~\.baidu\.;
    if ($invalid_referer) {
        rewrite ^/ https://img-blog.csdnimg.cn/20200429152123372.png;
    }
}

Why it is fast: Nginx evaluates the rule before passing the request to the application layer, so CPU cost is minimal.

“Nginx的防盗链，就是给服务器装了个‘保安’，一进门就问‘你是谁？’而不是让Java应用去‘查户口’！”

SpringBoot Implementations (Five Ways)

1. Filter (Global Interception)

A Filter intercepts every request, suitable for static resources.

@Component
@Slf4j
public class AntiHotlinkFilter implements Filter {
    @Value("${anti-hotlink.enabled}") private boolean enabled;
    @Value("${anti-hotlink.allowed-domains}") private List<String> allowedDomains;
    @Value("${anti-hotlink.protected-formats}") private List<String> protectedFormats;
    @Value("${anti-hotlink.allow-direct-access}") private boolean allowDirectAccess;
    @Value("${anti-hotlink.deny-action}") private String denyAction;
    @Value("${anti-hotlink.default-image}") private String defaultImage;
    @Override
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
        if (!enabled) { chain.doFilter(request, response); return; }
        HttpServletRequest req = (HttpServletRequest) request;
        HttpServletResponse res = (HttpServletResponse) response;
        String referer = req.getHeader("referer");
        // whitelist path check omitted for brevity
        // referer validation logic (same as Nginx) omitted for brevity
        if (!isAllowed) { handleDenyAction(res, defaultImage); return; }
        chain.doFilter(request, response);
    }
    // helper methods omitted
}

Why use a Filter: Global interception, no need to modify business code.

2. Interceptor (MVC‑Only)

An HandlerInterceptor can access the Spring context but only works for MVC requests.

public class AntiHotlinkInterceptor implements HandlerInterceptor {
    private List<String> allowedDomains;
    private List<String> protectedFormats;
    private boolean allowDirectAccess;
    private String denyAction;
    private String defaultImage;
    @Override
    public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception {
        String referer = request.getHeader("referer");
        String uri = request.getRequestURI();
        // protected‑resource and referer checks omitted
        if (!isAllowed) { handleDenyAction(response); return false; }
        return true;
    }
    // helper methods omitted
}

Drawback: Only applies to MVC routes, not static file requests.

3. Nginx Configuration Inside SpringBoot

Embedding the same Nginx directive in the reverse‑proxy layer provides the same performance without any Java code.

location ~* \.(gif|jpg|png|jpeg)$ {
    root /web;
    valid_referers none blocked *.yourdomain.com server_names ~\.google\. ~\.baidu\.;
    if ($invalid_referer) { return 403; }
}

4. Signed URL

Generate a time‑limited signature on the URL; the server validates the signature, preventing Referer spoofing.

public class SignatureUtil {
    private static final String SECRET_KEY = "your_secret_key";
    public static String generateSignature(String url) {
        long timestamp = System.currentTimeMillis() / 1000;
        String signature = DigestUtils.md5DigestAsHex((url + SECRET_KEY + timestamp).getBytes());
        return url + "?timestamp=" + timestamp + "&signature=" + signature;
    }
    public static boolean validateSignature(String url, String signature) {
        String[] parts = url.split("\\?");
        if (parts.length < 2) return false;
        // parsing logic omitted for brevity
        long timestamp = Long.parseLong(paramMap.get("timestamp"));
        String expected = DigestUtils.md5DigestAsHex((url + SECRET_KEY + timestamp).getBytes());
        return expected.equals(signature);
    }
}

Pros: High security because the secret key is never exposed.

5. Hybrid Strategy

Combine Nginx first‑line defense with SpringBoot secondary checks for layered protection.

anti-hotlink:
  enabled: true
  allowed-domains:
    - localhost
    - 127.0.0.1
    - "*.example.com"
    - "^test\\d+\.domain\.com$"
  protected-formats:
    - .jpg
    - .jpeg
    - .png
    - .gif
  allow-direct-access: true
  deny-action: DEFAULT_IMAGE
  default-image: /images/no-hotlinking.png
  whitelist-paths:
    - /api/public/**
    - /images/public/**

Why hybrid: Provides two layers of defense; if one is bypassed, the other still protects the resource.

Deep Comparison

Performance

Real‑world tests (1000, 10 000 and 1 000 000 concurrent requests) show Nginx handling the check in 0.05 ms, 0.1 ms and 0.5 ms respectively, while SpringBoot Filter takes 1.2 ms, 12 ms and 120 ms. That translates to 24×, 120× and 240× speed‑up for Nginx.

Security

Referer‑based checks (both Nginx and SpringBoot) can be spoofed.

Signed URL cannot be forged without the secret key.

Hybrid strategy offers high security while keeping performance acceptable.

Development & Maintenance Cost

Configuration difficulty: Nginx – low; SpringBoot – medium.

Development effort: Nginx – low; SpringBoot – high (code, tests, deployment).

Maintenance effort: Nginx – low; SpringBoot – medium.

Suitable scenarios: Nginx for high‑traffic sites; SpringBoot for low‑to‑medium traffic or when application‑level logic is required.

“别再让别人‘白嫖’你的服务器了！这就像你家的WiFi，别人不付钱就蹭网，你还不知道！”

In summary, Nginx provides the fastest, lowest‑maintenance anti‑hotlinking solution, while SpringBoot offers flexibility through multiple patterns at the cost of higher latency and development effort. Choosing the right approach depends on traffic volume, security requirements, and how much code you are willing to maintain.