Preventing Unauthorized Viewing

Secure media against unauthorized viewing through the following methods:

Token-Based Authentication

The Token-Based Authentication feature may secure live and on-demand streams by requiring that a viewer satisfy a set of security requirements before being granted access to your content. This type of configuration is supported under the following circumstances:

To create a rule that secures manifest files with Token-Based Authentication

  1. If a policy has been deployed to the Production environment, then create a copy of it. Otherwise, create a draft.
  2. Modify the draft to include the URL Path Extension Literal match condition.

    Configure this match condition as indicated below.

    • Set the Result option to "match."
    • Set the Value option to "m3u8 mpd" to secure HLS and MPEG-DASH manifest files.
    • Set the Ignore Case option to "yes."
  3. Directly below this match condition, add the Token Auth feature.

    1. Click .
    2. Select "Feature." set the category to "Access," and then select "Token Auth."
    3. Enable this feature by clicking no under the Enabled option. This option will now be set to "yes."
  4. Click Save.
  5. Convert the draft into a policy.
  6. Deploy the policy to the Production environment.

Stream Encryption

Both Encrypted HLS and Encrypted Key Rotation are incompatible with Server-Side Archiving.

Stream encryption requires the activation of the Encrypted HLS feature. Please contact your CDN account manager to activate this feature.

AES-128 encryption can be applied to HLS streams generated for your live events and on-demand content. Encrypted streams can only be decrypted by players that support encrypted HLS (e.g., iOS devices, QuickTime, and Android devices). Players that do not support encrypted HLS will be unable to play back encrypted streams.

Key information:

Live Streaming Configuration

An event's configuration determines whether its streams will be encrypted. Specifically, the Encrypt HLS option toggles whether AES-128 encryption will be applied to all streams associated with the instance.

Key Rotation

Key rotation requires the activation of the Encrypted Key Rotation feature. Please contact your CDN account manager to activate this feature.

The encryption key generated for a live stream may be rotated at regular intervals to prevent unauthorized playback via a shared link. Upon enabling this capability, a media player will be required to fetch the latest version of the encryption key at the specified interval.

Key information:

On-Demand Streaming Configuration

The Protected Directories for Encrypted HLS section on the Dynamic Cloud Packaging - VOD page defines the set of locations that will generate encrypted streams from on-demand content.

Secure a directory by:

Key information: