Wowza Community

Secure HLS stream URL

Hi. I have built an app that shows traffic cameras on a map and allows end users to click the icon and view live streaming video. The app is pure HTML5, no server-side software. I’m using google maps and videojs APIs mainly. This is a public facing app that anyone can access with no authentication.

Now the customer is concerned that the stream URLs are exposed and others can get access. For instance, network tab in dev tools or other ways. So, I’m looking for options to either obfuscate or secure those urls. Researching in the docs, I have found a couple capabilities, but I need more info:

SecureToken - it seems this is a good solution, but if I’m understanding correctly, it would require a server-side language like .net or php in order to be truly secure based on this quote from docs:

" Your web server administrator must use this same shared secret value to generate the client-side hash when the client webpage is generated. JavaScript code shouldn’t be used in the client webpage to generate the hash as the code is visible in the webpage source and would pose a potential security risk."

That’s a major architecture change that I would prefer to avoid if possible.

StreamNameAlias - I read about this but it’s not clear if it meets my requirements based on the brief description in docs.

Or if there are other options, I’d love to hear about them.


Is your concern the streams being stolen when not being a subscriber or the bandwidth cost if others get it and connect?

There is no perfect solution for an HLS m3u8 and we normally suggest a variety of security options from the token to IP address restrictions, but in a public facing app, DRM would be good here- if that’s in your budget.

Here is a blog written by an expert in streaming and discusses DRM and piracy.

Thanks for the info. The concern is mainly about the bandwidth impact on our server. I took a look at that blog - it has some useful info, but I’m pretty new to this and not sure I’m really getting it.

I also found this article -, which discusses IP restrictions. This actually sounds like what I’m looking for if I’m understanding it correctly., I could restrict it to just the ip of my web server, right? Are there issues with this approach? See attachment.