There are several possible security from hotlinking settings:

• You can check the referrer;
• You can sign the URL;

In the signature, you can optionally specify the lifetime, the IP-address (es) for which the signature is valid, and the maximum number of IP-addresses that can use this URL.

• Now the Cookie can be checked additional (you can choose any name). If its value matches the key value - the request is valid, even if there is no IP binding or no ref (if there is a ref but the values does not match - the request will be rejected). If there is no IP binding, missing the proper coockie will reject the request unless there is a valid ref.

In short - any of these three checks (for the correct IP, coockie or referrer) is enough for the request to be accepted and processed. Hotlink can not fake any of these parameters