Our contentserver includes a security feature that allows you to restrict public access to videos or to videos plus players. This feature is enabled in the dashboard. When enabled, content can only be requested by constructing so-called signed links. These links will expire after a short time, preventing unauthorized sharing or leeching of your content.
Signing of your content can be enabled through a setting in the account tab of the dashboard. The setting is called content security and has the following options:
- Allow video downloads and player embeds: this is the default option. Both your videos and players will be publicly accessible.
- Secure video downloads, allow player embeds: Your videos will only be accessible using valid signed URLs. Your players will remain publicly accessible.
- Secure video downloads and player embeds: Both your videos and players will only be accessible through valid signed URLs.
Access to thumbnails, feeds and previews cannot be restricted; they are always publicly available. When access is restricted for videos, the feeds will contain invalid video links. When access to players is restricted, the previews will contain invalid player embeds.
Please make sure you start to use signing on your site before changing this security setting! Unsigned videos and/or players will drop dead the instant you change this setting.
If you want to deny all public access to your videos or players, all you have to do is enable the security setting. There’ll be no way for a third party to generate signed links, since they do not know your account secret. Your content will remain available for previewing / downloading within the dashboard.
If you want to secure your content but occasionally want to forward a video or player link (e.g. to your clients), you can use a small tool like this demo to manually generate a signed URL. Make sure that links do not expire before your client receives them.
If you want to secure your content, but still want to embed players or offer video downloads on your own site (e.g. if you have a pay-per-view site), then you should implement a small script on your site that automatically generates the signed links. For example, you could use a small PHP function like this one to always generate a valid signed URL:
A couple of things to keep in mind when auto-generating signed links:
- The shorter you make the expiration dates, the more you lock down your content. If a link has expired, even download tools like Realplayer will not be able to grab the content. However, at a certain point you will run into expiration issues with slow-responding servers or small discrepancies in server time.
- If you have a high-volume website, the extra signature generation step might be a performance issue. In that case, you could cache signed URLs with an interval of e.g. 1 minute. Signed requests do not have to be unique.
When unsigned content is requested while signing is enabled, the contentserver will return a 403 Access forbidden HTTP header.
When incorrectly signed content is requested, the contentserver will also return a 403 Access forbidden HTTP header. Signed URLs can be incorrect due to a wrong signature or due to an already expired timestamp.
Note that incorrectly signed URLs will always get a 403 returned and correctly signed URLs will always work. Use this to test and put in place your signing mechanism before actually enabling the security in the dashboard.