Combat hotlinking your Adobe Flash SWF file (ModuleHotlinkDenial)

This module publishes a list of website domain names that are allowed to embed the Flash client that connects to your application. Conversely, any domain names that are not on this list are denied the ability to hotlink.

Hotlinking is another word for embedding. Hotlink Denial controls the HTML container only. For example, you can embed a YouTube video on your website; YouTube even provide a snip of code to make that possible. A user can look at the source code of your HTML page, copy the <embed>/<object> tags (or swfobject), and place these in an HTML page on their website. You can do the same with <img> tags. If you want to allow users to do links in this way, it's called embedding; if you don't want them to do allow this type of linking, it's called hotlinking.

  • This module looks at the domain of the HTML page that embeds the Flash client that connects to your application. It doesn't look at the domain that hosts the Flash client SWF file. To protect hotlinking to the SWF file directly, you should use Website Hotlink Protection, which provides a tool for creating an .htaccess file for Apache servers that will prevent hotlinking of certain file types.
  • This module doesn't prevent someone from using an IFrame or similar method to embed your page in theirs. The module will look at the innermost HTML page (which will be yours) and allow the connection. You should use some sort of Frame Buster code on your page to combat this approach.
  • This module currently only works with RTMP connections from Flash clients. It doesn't work with HTTP or RTSP connections. The main reason why the module doesn't work on these connections is that the HTTP and RTSP players don't send enough information about the domain they are connecting from. The ModuleRefererValidate module provides an alternate type of player verification for these types of players. For more information, see Control access to your application by checking referer domain (RefererValidate).

A compiled version of this module is included in the Wowza Module Collection.


To enable this module, add the following module definition to your application. See Configure modules for details.
Fully Qualified Class Name
ModuleHotlinkDenial Sets a list of hotlinkable website domains and denies hotlinks to other domains. com.wowza.wms.plugin.collection.module.ModuleHotlinkDenial


After enabling the module, you can adjust the default settings by adding the following properties to your application. See Configure properties in for details.

Root/Application hotlinkDomains String localhost,*, Comma-separated list of domains that are allowed to connect to the application. The domain names can start with *, which will match any value: for example, * will match [I][/I] and (default: Not Set).
Root/Application hotlinkEncoders String Wirecast Comma-separated list of encoder Flash Version prefixes that are allowed to connect without being checked. The Encoder Flash Version String is checked against this list to see if it starts with one of these values and is allowed if it does match. If it doesn't match, then it will go through the domain check (default: Not Set).
Root/Application hotlinkLogConnections Boolean false Enable or disable extra logging for all connection attempts (default: false).
Root/Application hotlinkLogRejections Boolean true Enable or disable logging for all rejected connection attempts (default: true).