SoFunction
Updated on 2025-04-14

Two ways to implement image anti-theft chain based on SpringBoot

1. Achieve the goal

For security and performance considerations, we hope that the image resources returned by the server will only be displayed within the specified website, preventing crawlers or other sites from directly referring to image addresses for downloading or displaying, thereby consuming server resources. Simply put, when requesting an image, check the Referer in the HTTP request header to determine whether the request source is legal.

2. Simple implementation plan

2.1 Basic implementation of interceptor

In the first solution, the code writes the domain name that is allowed to access (for example, ""), and the main steps are as follows:

  • Judge URL suffix
    When the request URL ends in image formats such as ".jpg", ".png", and ".jpeg", then subsequent judgment is made.

  • Check Referer
    Take the Referer from the request header, and release it if it is not empty and contains the preset allowed domain name; otherwise, a 403 error code is returned, thus denying access.

For example:

public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception {
    String requestUrl = ().toString();
    if ((".jpg") || (".png") || (".jpeg")) {
        String referer = ("Referer");
        if (referer != null && ("")) {
            return true;
        } else {
            (HttpServletResponse.SC_FORBIDDEN);
            return false;
        }
    }
    return true;
}

When registering an interceptor, use Spring Boot'sWebMvcConfigurerThe interface applies this interceptor to all request paths.

3. Flexible configuration implementation solution

In order to make the configuration of anti-theft chain more flexible, you can write configuration items (such as whether to enable anti-theft chain, whether to allow browsers to access directly, whitelist domain names, etc.) in, and map it into Java objects using configuration classes.

3.1 Configuration file example

existThe following configuration is defined in:

img-protect:
  enabled: true
  allowBrowser: false
  allowReferer:

3.2 Mapping configuration class

Utilize@ConfigurationPropertiesMap configuration items into Java classes for easier subsequent use:

@Component
@ConfigurationProperties("img-protect")
public class ImgProtectConfig {
    private boolean enabled;
    private boolean allowBrowser;
    private String allowReferer;
    // getter/setter}

3.3 Interceptor implementation details

In the new version of the interceptor, by injecting the above configuration class, the following logic is implemented:

  • If the anti-theft chain function is not enabled, it will be released directly.
  • Request for image resource (judged by URL suffix):
    • If the Referer is empty and the browser is allowed to access directly (allowBrowser is true), then release;
    • If Referer is not empty, call the auxiliary method to determine whether Referer contains the domain names allowed in the configuration (multiple domain names are allowed, comma-separated);
    • Otherwise, return 403.

For example:

@Override
public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception {
    if (!()){
        return true;
    }
    String requestUrl = ().toString();
    if ((".jpg") || (".png") || (".jpeg")) {
        String referer = ("Referer");
        if (referer == null && ()){
            return true;
        } else if (referer != null && isAllowedDomain(referer)) {
            return true;
        } else {
            (HttpServletResponse.SC_FORBIDDEN);
            return false;
        }
    }
    return true;
}

inisAllowedDomainMethod traversal multiple domain names allowed in the configuration for comparison.

4. Precautions and limitations

Although this anti-theft chain function implemented by checking Referer can effectively prevent resources from being stolen in general scenarios, there are still some shortcomings:

  • Referer forgery: Malicious clients can forge Referer header information and bypass detection.
  • Missed reporting issues: Attackers may use data URI or Base64 encoding to bypass inspections.
  • False alarm problem: Some legitimate users (such as when using a private browser or proxy server) may be accidentally intercepted due to a Referer mismatch.
  • Reverse proxy problem: Attackers may use reverse proxy to bypass contain judgment by adding whitelisted domain names to the URL path.

Therefore, this method is only a basic protection method and cannot guarantee absolute safety. In actual applications, stricter security measures (such as Token verification, Nginx anti-theft chain, etc.) can be combined to improve the protection effect.

5. Summary

This article shows two ways to implement image anti-theft link based on Spring Boot:

  1. A simple way to write the dead configuration, directly judge the Referer in the interceptor;
  2. Based on flexible configuration files,Configure anti-theft link parameters and use them in the interceptor.

Although this method can play a certain protective role in link theft in general, considering the problems of Referer being counterfeit, more comprehensive security strategies need to be considered based on specific scenarios in actual projects.

This is the end of this article about two ways to implement image anti-theft chain based on SpringBoot. For more related SpringBoot image anti-theft chain content, please search for my previous articles or continue browsing the related articles below. I hope everyone will support me in the future!