Use ServletHttp to implement an anti-hot link
1. What is hotlinking
Definition: Using technical means to display content from its website directly on your own website without the consent or authorization of the original content provider, or Allow users to directly access content on the original content provider’s website through links.
Simply put it is:
If a website of mine displays or links pictures, videos, articles, etc. from website B on my website without Baidu’s consent or authorization, then my website is engaging in hotlinking.
For example: Now someone is visiting a page on my website, but this page is not mine. If I show him the Baidu link, then I call it a hotlink, and a clever hotlink will even be packaged in such a way that you can’t detect it. Page, so you can’t find out it’s Baidu
2. How to implement hotlinking?
There are many ways to achieve this, such as
Client technology:
Use scripting languages such as JavaScript or jQuery to dynamically obtain content from the target webpage on the browser side and insert it into your own webpage. However, this method needs to consider cross-domain issues.
Server-side technology
Get the content from the target web page, then filter, parse, modify, and then output it to your own web page. This method requires the use of some programming languages, such as PHP, Python, Java, etc., and some network libraries or frameworks, such as cURL, Requests, BeautifulSoup, Jsoup, etc.
Front-end technology
one of them:
Using the iframe tag, you can embed the entire content of another webpage in your own webpage. You only need to specify the src attribute as the URL of the target webpage.
Here’s a simple example:
<!DOCTYPE html> <html> <head> <meta charset="utf-8"> <title></title> </head> <body> <iframe src="//i2.wp.com/www.baidu.com/" title="description"></iframe> </body> </html>
Here I quoted Baidu to display the page. This is because Baidu has anti-leeching technology.
But when I quote a page without anti-hotlinking technology
<iframe src="http://localhost:8080/web/" title="description"></iframe>
Here, the reference is replaced with my tomcat server web page, and the display is successful!
3. How to prevent hotlinking
Timestamp verification
Timestamp hotlink prevention mainly adds time factors to the URL by adding timestamp information in the URL request. If the hotlinker does not update the URL in time, it will be inaccessible. This is relatively common, but if the hotlinker comes regularly to update the URL, this method will also be ineffective.
IP black and white list:
Configure the requester’s IP black and white list. After setting the black list, users except the black list can access; otherwise, if the white list is set, only users on the white list can access. This method is directly effective, but the specific IP information of the requester must be known, so the applicable scenarios are relatively limited.
Signature verification
Accelerate an encrypted string for the requested content. If the string content is inconsistent, reject or replace the requested content.
Referer verification
Check whether the source webpage of the request is a domain name you allow, if not, reject or replace the requested content. This method requires configuring relevant rules on the server side, such as Nginx’s valid_referers directive.
4.reference implements simple anti-leeching
Implementation principle:
In the picture above, the user sends a total of two requests. The first time he visits the download.jsp page in the regular server, and the second time he visits the download.jsp page in the hotlink server. Although the two download.jsp pages have the same content, The sources are not the same.
- If the request in download.jsp comes from the hotlink server, we will display that downloading is not possible;
- If the request in download.jsp comes from a regular server, we will show that it can be downloaded;
expected outcome
- Requesting the same domain name twice shows that it can be downloaded.
- Two requests for different domain names show that the download cannot be made.
Implementation
@WebServlet(name = "DownloadServlet", urlPatterns = "/downloadServlet")
public class referer extends HttpServlet {<!-- -->
@Override
protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {<!-- -->
//Set response content and encoding
resp.setContentType("text/html;charset=utf-8");
//Get the character output stream of the response object
PrintWriter writer = resp.getWriter();
String referer = req.getHeader("referer");
//The referer of the request header exists and comes from a regular server
if(referer!=null & amp; & amp;referer.equals("http://localhost:8080/web/download.jsp")){<!-- -->
writer.write("can be downloaded");
}else{<!-- -->
writer.write("Reject hotlinking");
}
writer.flush();
writer.close();
}
@Override
protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {<!-- -->
this.doGet(req, resp);
}
}
Normal access:, because the request address at this time
Why can it be accessed? Check the network and you can find that the referer of the regular channel is http://localhost:8080/web/download.jsp. We checked in the code and the server will only display the real page when the referer is this referer.
Why? Let’s take a look at the definition of referer:
According to the provisions of the HTTP protocol, the referer field is used to indicate the source of the request, that is, from which web page the user clicked a link or submitted a form, thus making the request.
In other words, our referrer is determined by the page we visit. If we enter a page directly in the browser, we do not have a referer. The referrer we enter from a certain page depends on that page, as follows The picture is the result after we assume that we have installed anti-hotlinking on our own page. You can see that the referer does not correspond, so the real page cannot be accessed.
