Skip navigation
Currently Being Moderated

How to protect hls stream? (from others serving "my" m3u8's on their site...)

Dec 27, 2011 2:53 PM

Tags: #video #live #hls #server #ios #secure #apache #streaming #stream #4.5.1 #m3u8 #live_streaming #protected #livepkgr

Situation: live hls multi-bitrate, livepkgr, m3u8 served on "my" website


(iOS user gets on "my" page, clicks on the m3u8 link and views the live content - no problem there...)


What is stopping other to use my playlist on their website and offer the same service with "my" infrastructure?



If i use protected hls - i still will be giving keys to all the viewers - both those who came through my website and also all others - so not much help there with this particular question - right?

  • Currently Being Moderated
    Jan 1, 2012 11:10 PM   in reply to nnmk

    Currently protected HLS only garuntee (flexible feature) that only valid ios devices can play the stream. But yes, that doesn't solve your problem. You may like to add some sort of authentication  in key delivery part. For example, you may write ios-application to re-write key delivery URL and add some query token to it in NSURLProtocol class. And on apache side, you may check validity of URL sender before request is picked up by the hls module.


    This is just a direction.. Though we are looking for some inherent solutions in this direction..

    Mark as:
  • Currently Being Moderated
    Jan 2, 2012 9:06 PM   in reply to nnmk

    Though it is easily discoverable the hackers but still a direction:


    1. For example, in you client app inside NSURLProtocol you may change the key URL from to

    Now, inside apache conf, you may change the location directive hls-key to my-app-hls-key.. In this way any key request that comes as former URL will be reected by the module, while later will be passed.


    Since later key requests will only from your client app (which re-write key url inside app using ios NSURLProtocol class) they will succeed as apache confs are configured to accept them while former once are failed.


    However this can be traced and replicated by others too..


    If you want more secure way then, you may like to send some cookies with the key url as query parameter (again you will have to write your custome app to do that).. On apache side you may write your own module which first authenticate the cookie then redirect the "query parameter stripped key url" to the


    Why am I only talking about authenticating the key URL not the m3u8 or ts because key url is on https which should always hit the origin.. m3u8 or ts are normal http and can be served from the cache..

    Mark as:
  • Currently Being Moderated
    Jan 3, 2013 12:51 PM   in reply to Nitin Goel

    Do you have an example of writing an Apache module that does authentication and passes the stripped URL to mod_hlshttp?  This is exactly what I need to do (after beating my head against AMS server-side ActionScript and finally realizing that HLS is handles through Apache...)


    I'm sure I could dig on the web, but if you have an example it could probably save me a lot of time/effort/headache...


    Thanks in advance.

    Mark as:
  • bobsagat123
    44 posts
    Oct 3, 2011
    Currently Being Moderated
    Jan 29, 2013 10:47 AM   in reply to wjturner.vm-go

    I am trying to achieve this as well - an example would be really great.

    Mark as:
  • Currently Being Moderated
    Aug 20, 2013 5:36 AM   in reply to bobsagat123

    How about the example? I need it also.


    Could you please share it?


    Thanks in advance.

    Mark as:

More Like This

  • Retrieving data ...

Bookmarked By (0)

Answers + Points = Status

  • 10 points awarded for Correct Answers
  • 5 points awarded for Helpful Answers
  • 10,000+ points
  • 1,001-10,000 points
  • 501-1,000 points
  • 5-500 points