• How to combat hotlinking your Adobe Flash SWF file (ModuleHotlinkDenial)

    This module publishes a list of website domain names that are allowed to embed the Flash client that connects to your application. Conversely, any domain names that are not on this list are denied the ability to hotlink.

    Hotlinking is another word for embedding. Hotlink Denial controls the HTML container only. For example, you can embed a YouTube video on your website; YouTube even provide a snip of code to make that possible. A user can look at the source code of your HTML page, copy the <embed>/<object> tags (or swfobject), and place these in an HTML page on their website. You can do the same with <img> tags. If you want to allow users to do links in this way, it's called embedding; if you don't want them to do allow this type of linking, it's called hotlinking.


    Notes:
    • This module looks at the domain of the HTML page that embeds the Flash client that connects to your application. It doesn't look at the domain that hosts the Flash client SWF file. To protect hotlinking to the SWF file directly, you should use Website Hotlink Protection. http://www.htaccesstools.com/hotlink-protection/ provides a tool for creating an .htaccess file for Apache servers that will prevent hotlinking of certain file types.

    • This module doesn't prevent someone from using an IFrame or similar method to embed your page in theirs. The module will look at the innermost HTML page (which will be yours) and allow the connection. You should use some sort of Frame Buster code on your page to combat this approach.

    • This module currently only works with RTMP connections from Flash clients. It doesn't work with HTTP or RTSP connections. The main reason why the module doesn't work on these connections is that the HTTP and RTSP players don't send enough information about the domain they are connecting from. The ModuleRefererValidate module provides an alternate type of player verification for these types of players. For more information, see How to control access to your application by checking referrer domain (ModuleRefererValidate).
    A compiled version of this module is included in the Wowza Module Collection.

    Configuration



    To enable this module, add the following module definition to your application. See Configure modules for details.

    Name
    Description
    Fully Qualified Class Name
    ModuleHotlinkDenial Sets a list of hotlinkable website domains and denies hotlinks to other domains. com.wowza.wms.plugin.collection.module.ModuleHotlinkDenial

    Properties



    After enabling the module, you can adjust the default settings by adding the following properties to your application. See Configure properties in the Quick Start Guide for details.

    Path
    Name
    Type
    Value
    Notes
    Root/Application hotlinkDomains String localhost,*mysite.com,www.myothersite.com Comma-separated list of domains that are allowed to connect to the application. The domain names can start with *, which will match any value: for example, *mysite.com will match [I]www.mysite.com[/I] and mysite.com (default: Not Set).
    Root/Application hotlinkEncoders String Wirecast Comma-separated list of encoder Flash Version prefixes that are allowed to connect without being checked. The Encoder Flash Version String is checked against this list to see if it starts with one of these values and is allowed if it does match. If it doesn't match, then it will go through the domain check (default: Not Set).
    Root/Application hotlinkLogConnections Boolean false Enable or disable extra logging for all connection attempts (default: false).
    Root/Application hotlinkLogRejections Boolean true Enable or disable logging for all rejected connection attempts (default: true).

    Wowza media server software and all components, including modules, source code, and other related items offered on this page, are copyrighted (c) 2006-2014 by Wowza Media Systems, LLC, all rights reserved, and are licensed pursuant to the Wowza Media Software End User License Agreement.


    Originally Published: 10-01-2010.
    Updated: For Wowza Streaming Engine 4.0.6 on 08-11-2014.

    If you're having problems or want to discuss this article, post in our forum.