Security features in Wowza Streaming Cloud

The Wowza Streaming Cloud™ service provides a range of security features that allow you to protect the delivery of and access to a stream as it moves from camera or source encoder to the transcoder, from the transcoder to a stream target, and from the stream target to a player. You can also limit access to playback based on geographic location or through token authorization. While all security features are available for Wowza Streaming Cloud Apple HLS streams, ultra low latency streams have access to a subset of security features.

This article outlines which security features are available in Wowza Streaming Cloud for Apple HLS streams and which are available for ultra low latency streams. It also points to step-by-step instructions for implementing the security features using the Wowza Streaming Cloud REST API or the Wowza Streaming Cloud user interface.

Security features for Apple HLS streams


The following features are available to secure an Apple HLS stream in Wowza Streaming Cloud from ingest though playback.

User authentication for source connection

User authentication for Apple HLS streams provides a secure connection from the source encoder or camera into the ingest origin server and prevents third parties from connecting to and altering your stream. When user authentication is enabled on a push stream, Wowza Streaming Cloud requires the source encoder or camera to use a username and password associated with the stream to establish a connection. You can set the username and password values, or you can have Wowza Streaming Cloud generate values for you. You can also configure user authentication on a pull stream so that the source encoder or camera uses values set on the encoder side to connect to a live stream or transcoder in Wowza Streaming Cloud.

See these articles to configure user authentication:

Secure ingest for transfer from transcoder to Wowza CDN

Secure ingest allows you to secure a stream with a query parameter as it passes from the transcoder to the Wowza CDN for delivery over HLS. When the Wowza CDN ingests the stream from the transcoder, it requires the query parameter for processing. This prevents third parties from overriding the contents of your stream with unwanted content.

To configure secure ingest using the REST API, see Send streams securely to Wowza CDN with the Wowza Streaming Cloud REST API.

If you create a live stream in the Wowza Streaming Cloud user interface, secure ingest is enabled by default. To enable secure ingest for a Wowza CDN stream target, see Add a Wowza CDN target for HLS playback.

SSL for transfer from transcoder to stream target and playback

After Wowza Streaming Cloud transcodes (or passes through) encoded live source video, it sends a stream to geographically distributed servers called stream targets. Those targets then deliver the stream to viewers, such as through a hosted webpage or a direct playback URL. Wowza Streaming Cloud uses the HTTP protocol to make these two outbound network transfers.

Secure Socket Layer (SSL) can provide secure and encrypted HTTPS connections as a stream moves through the network connections from transcoder to stream targets and from stream targets to playback destinations. When specific stream target properties are enabled, Wowza Streaming Cloud uses SSL to establish a handshake for encrypting HTTP connections. You can either choose to deliver streams from transcoders to targets using SSL or to deliver streams to players for playback using SSL, or both. You can also require the player client to use HTTPS for playback.

Encrypting connections between servers and clients using SSL and HTTPS prevents data from being intercepted and manipulated in transit and prevents third parties from altering a stream as it moves between servers. As of 2018, certain browsers warn users against websites with content served over unsecured HTTP connections. Configuring SSL for your Apple HLS streams can help secure streams and avoid browser warnings.

See these articles to configure SSL playback for Apple HLS streams:

Geo-blocking for playback

Geo-blocking through Wowza Streaming Cloud allows you to selectively allow or block access to Wowza stream targets to control where a stream can be viewed. You can use geo-blocking to specify which countries or regions are allowed or which countries or regions are blocked. You can also allow streaming at specified IP addresses even if they're within a blocked location.

See these articles to configure geo-blocking for Apple HLS streams:

Token authorization for playback

Token authorization protects streams by requiring a token, which is hashed and appended to the playback URL, for viewer access. You can use token authorization to make a stream playback URL unavailable after a certain length of time, to limit access to approved IP addresses, to provide content to paying viewers only, or to apply other restrictions. Token authorization prevents playback URLs from being shared by unauthorized links or player hijacking attacks.

See these articles to configure token authorization for Apple HLS streams:

Security features for ultra low latency streams


The following features are available to secure an ultra low latency stream in Wowza Streaming Cloud during source connection and playback.

User authentication for source connection on pull streams

User authentication for ultra low latency pull streams provides a secure connection from the source encoder or camera into the ingest origin server and prevents third parties from connecting to and altering your stream. A pull stream indicates that Wowza Streaming Cloud pulls your stream from the encoder or IP camera. To configure user authentication for a pull stream, you enable authentication for your source encoder or camera. Wowza Streaming Cloud then uses a source URL you provide to connect to the authenticated source stream and pull it to an origin server for an ultra low latency stream target.

See these articles to configure user authentication for ultra low latency streams:

IP whitelisting for source connection on push streams

For ultra low latency push streams, you can control the connection to an ultra low latency target's origin server by providing a list of IP addresses for trusted sources. Only sources with whitelisted IP addresses are allowed to connect to the ingest origin server, preventing unauthorized sources from connecting to and altering your stream. A push stream indicates that the source encoder or IP camera pushes the stream to Wowza Streaming Cloud.

See these articles to configure IP whitelisting:

SSL for playback

After Wowza Streaming Cloud with Ultra Low Latency receives an ultra low latency stream at an origin server, it sends the stream to playback destinations using a WebSockets (WS) connection. If a backup HLS stream is enabled, the HLS stream moves from the Wowza Streaming Cloud edge server to a playback destination over an HTTP connection. Ultra low latency and backup HLS streams are available over both encrypted WSS and HTTPS connections and unencrypted WS and HTTP connections. To ensure playback over a secure connection for ultra low latency, you can use SSL to embed Wowza Player configured with secure playback URLs into a webpage hosted over HTTPS. These secure playback URLs use SSL to establish a handshake between a server and client to exchange encrypted data over WSS and HTTPS.

Encrypting connections between servers and clients using SSL prevents data from being intercepted and manipulated in transit and prevents third parties from altering a stream as it moves between servers. As of 2018, certain browsers warn users against websites with content served over unsecured HTTP connections. Configuring SSL for playback of ultra low latency streams can help secure your streams and avoid browser warnings.

See these articles to configure secure playback for ultra low latency streams: