Stopping Hotlinkers and Content Scrapers: Signed URLs, Token Auth, and Referrer Controls for Adult Tubes

Every successful adult tube has the same problem: other sites embedding your videos directly, or scraping your catalog wholesale. Hotlinkers eat your bandwidth while earning ad revenue on your content. Scrapers clone your site and compete against you in the SERPs with the same videos. Both are preventable — but only with infrastructure you deliberately design, not with after-the-fact hopes.

This post is the 2026 technical playbook: referrer controls, signed URLs, token-authenticated streaming, CDN-layer rules, and how to detect a scraper the moment they start.

The Two Threats

• Hotlinkers embed your video files or thumbnails directly on their pages. They don’t clone your site — they just leach your CDN bandwidth and let their users watch your content on their domain.
• Scrapers crawl your listings, downloading thumbnails, metadata, and sometimes full videos, then republish on competing sites.

Different attack surfaces, overlapping defenses.

Defense Layer 1: Referrer Controls

Your CDN can block requests whose HTTP Referer header isn’t from your own domain. This is the simplest and fastest hotlink defense.

BunnyCDN Implementation

Pull Zone → Security → Hotlink Protection → Enable
Allowed hostnames: yoursite.com, embed.yoursite.com

Cloudflare / Nginx Origin

if ($http_referer !~* "^https?://(www\.)?yoursite\.com") {
    return 403;
}

Limitation

Savvy hotlinkers send fake Referer headers from their own server-side code. Referrer controls stop casual embeds (most of the volume); the rest needs stronger defenses.

Defense Layer 2: Signed URLs

A signed URL is a video/thumbnail URL that includes a cryptographic signature valid only for a specific user, IP, or time window. Attempting to use it outside those bounds returns a 403.

BunnyCDN Token Auth

• Enable Token Authentication on the Pull Zone.
• Configure security key in dashboard.
• Generate signed URLs server-side:

// PHP example
$expires = time() + 3600;
$path = "/videos/4000/4321/web_mp4/web.mp4";
$hash = hash('sha256', $security_key . $path . $expires);
$signed_url = "https://cdn.yoursite.com{$path}?token={$hash}&expires={$expires}";

Features:

• Time-bound (e.g., 1-hour validity).
• Optional IP binding (URL only works for originally-requesting IP).
• Path-specific (signature valid only for the intended file).

AWS CloudFront / Wasabi S3

Pre-signed URLs via AWS Signature V4. Same concept, different API.

Defense Layer 3: HLS Token Authentication

HLS streaming exposes both the master.m3u8 manifest and individual segment files. If someone can access the manifest, they can stream.

• Sign the .m3u8 URL with a short-lived token.
• Sign each segment URL inside the manifest (nginx-rtmp, nginx-vod, or CDN-native).
• Rotate security keys periodically.
• Bind tokens to session (cookie / JWT) for logged-in users.

Defense Layer 4: Session Token in the Player

When the user plays a video, your page generates a short-lived session token and passes it to the player. The video URL is constructed with the token. If someone scrapes the page but doesn’t also extract the token correctly, the video won’t play.

Make the token:

• Generated only after the user actually interacts (not just on page load).
• Tied to the user’s session or IP.
• Short-lived (5–15 minutes).
• Delivered via JavaScript rather than static HTML, making scraping harder.

Defense Layer 5: Rate Limiting

Even with signed URLs, scrapers can request hundreds of pages per minute. Rate-limit at the CDN and origin:

• Per-IP: 60–120 requests/minute for page loads; 300+ for thumbnail/image requests.
• Per-country: temporary bans for geos with abusive patterns.
• Per-user-agent: block known-bad bot UAs.

Nginx limit_req is effective at origin. CDN-layer rate limiting is better for scale (Cloudflare, BunnyCDN).

Defense Layer 6: User-Agent and Behavioral Filters

• Block obvious scrapers: curl, python-requests, wget with default UAs.
• Require common browser headers (Accept, Accept-Language).
• Flag requests missing cookies after the first page (real browsers hold session cookies).
• Use behavioral fingerprinting: real users have mouse movement, scroll events, time gaps between page loads.

Defense Layer 7: Watermarking

• Visible watermark on videos (low-opacity logo in corner) deters reuse.
• Forensic watermark (invisible, per-user) helps attribute leaks back to the leaker.
• Image watermarking on thumbnails helps attribute scraped image sets.

Covered in detail in its own dedicated post.

Detection: Knowing When You’re Being Scraped

Signal 1: Traffic-Log Patterns

• Same IP hitting /videos/* at a regular interval for hours.
• Sequential video IDs requested in order.
• Unusual user-agent strings.
• Sudden spike in thumbnail-only requests.

Signal 2: Bandwidth Graph

Hotlinking shows up as sudden bandwidth spike without corresponding page-view increase. Scraping shows up as sustained elevated CDN requests.

Signal 3: External Reverse-Search

• Reverse-image-search your own thumbnails quarterly.
• Watermarked thumbnails make this trivial — anyone else using them is hotlinking or scraping.
• Google Alerts for your site’s name and distinctive video titles.

Signal 4: Direct Observation

• Periodically Google your own video titles.
• Check adult-industry forum reports of new cloner sites.
• Set up Google Search Console alerts for drastic URL-discovery drops.

Response Playbook When You Find a Scraper

1. Identify the offending domain and IP(s).
2. Block their IP range at your CDN / origin.
3. File DMCA takedown notice with the offending domain’s host (find via whois).
4. If on Google SERPs, file DMCA with Google to remove from search.
5. Report to advertising networks (if they’re running ExoClick/TrafficJunky, those networks often de-list violators).
6. Document the incident; escalate repeat offenders to attorney.

Layered-Defense Cost / Benefit

Closing Thought

You will never fully stop determined scrapers and hotlinkers. What you can do is make your site more work to abuse than other sites — and bad actors always go for easier targets. Layered defenses that are invisible to legitimate users and frustrating to abusers are the 2026 standard for any adult tube serious about defending its content and bandwidth.