All Products
Document Center


Last Updated: May 27, 2020


How to protect video content from hotlinking and illegal download or distribution is a long-standing problem for many enterprises. There is an urgent need for a solution especially in online copyrighted video fields such as premium TV shows, online education, finance, and industry training. If video content is not protected properly in such fields, serious economic losses and even legal risks may occur.

ApsaraVideo for VOD provides a comprehensive content security protection mechanism to meet the security requirements in different business scenarios.


Access control

The access control service allows you to configure access policies in the cloud to provide basic protection for video resources. The common access control policies include:

  • Referer access control: You can use the Referer header in HTTP requests to determine the referer (the page that led the user to the current page). You can configure a referer blacklist or whitelist (but not both) to control access to video resources.
  • User-Agent access control: You can configure a User-Agent blacklist or whitelist by using the HTTP User-Agent header to control access to video resources.
  • IP address access control: You can configure an IP address blacklist or whitelist by using the HTTP X-Forwarded-For header or actual IP addresses of users to control access to video resources. You can configure the IP address blacklist or whitelist by using an IP address list or a subnet mask.
  • Restrictions on the number of access times: You can configure the maximum number of times that a video URL can be accessed in a certain period and the maximum number of unique IP addresses that are granted access to the video URL after deduplication.

For more information, see Access control.

URL signing by ApsaraVideo for VOD

If fixed playback URLs are used, unauthorized video distribution may occur and cannot be effectively controlled. ApsaraVideo for VOD provides the URL signing feature. This feature generates dynamic and signed URLs (containing information such as permission verification and validity period) to distinguish legal requests and protect video resources.

  • After URL signing is enabled, ApsaraVideo Player SDKs and the API or SDKs for obtaining playback URLs automatically generate playback URLs with a validity period. If you want to generate you own dynamic URLs with authentication information, see Authentication method in URL signing.
  • After URL signing is enabled, the URLs of all media resources, including videos, audio, thumbnails, and snapshots, need to be signed.
  • Authentication keys are set by domain name and stored on the server to ensure security. The primary and secondary keys can be smoothly switched. If the primary key is changed, the secondary key is used to generate playback URLs. In this way, you can update the authentication keys by changing the primary and secondary keys alternately.

For more information, see URL signing.

CDN reauthentication by the customer

URL signing by ApsaraVideo for VOD uses the default authentication center of Alibaba Cloud. This authentication method authenticates requests without using the customer’s business request information. Therefore, this authentication method cannot detect all illegal requests such as hotlinking requests. CDN reauthentication by the customer can improve the detection accuracy.

  • In CDN reauthentication mode, CDN transparently transmits user requests to the customer’s authentication center, and the customer determines whether the requests are legal. CDN allows or rejects the requests based on the customer’s judgment.
  • To implement CDN reauthentication, the customer needs to develop and deploy an authentication center. If the domain name of the authentication center is accelerated in CDN, CDN can cache the customer’s authentication results based on certain rules. This reduces the pressure on the customer’s authentication center. By default, CDN transparently transmits the headers and request_uri fields in user requests to the customer’s authentication center and performs actions based on the authentication results returned by the authentication center.

For example, the customer can hide a user’s logon cookie or UUID in a playback request, and then transparently transmit the playback request to the customer’s authentication center. In this way, the customer can determine whether the user is a legal user.

You need to develop and deploy your own authentication center to use CDN reauthentication. If you need to use CDN reauthentication, submit a ticket or contact ApsaraVideo for VOD after-sales for activation and configuration.

Video encryption

The hotlinking protection mechanism can effectively protect users’ legitimate access. However, in the paid video scenario, users can pay a one-time fee for a video and download the video file from the legitimate playback URL with hotlinking protection. Then, redistribution becomes uncontrollable. Therefore, the hotlinking protection mechanism is far from enough to protect video copyrights. The leakage of video files may cause serious economic losses to businesses that charge users for watching videos.

Alibaba Cloud video encryption service encrypts video data. Video files downloaded to a local device are encrypted, preventing unauthorized redistribution. This effectively prevents video file leakage and hotlinking.

Alibaba Cloud video encryption

Alibaba Cloud video encryption uses a private encryption algorithm and a secure transmission mechanism to provide a cloud-device integrated video security solution. Alibaba Cloud video encryption contains two parts: “encryption and transcoding” and “decryption and playback.”Core advantages:

  • Each media file has a dedicated encryption key. This prevents the leakage of a large number of video files in case that the key for a single file is disclosed.
  • ApsaraVideo for VOD provides an envelope encryption system using ciphertext and plaintext keys. Only the ciphertext keys are stored. The plaintext keys are only used for processing in the memory but are not stored. They are destroyed immediately after use.
  • ApsaraVideo for VOD provides secure ApsaraVideo Player SDKs for multiple platforms, including iOS, Android, HTML5, and Flash. ApsaraVideo Player SDKs can automatically decrypt and play encrypted videos.
  • The private encryption protocol is used to transmit ciphertext keys between players and the cloud. The plaintext keys are not transmitted. This effectively prevents the keys from being intercepted.
  • ApsaraVideo for VOD provides the secure download feature. Videos cached locally are encrypted again. This allows videos to be played offline while preventing videos from being copied.

Note: Videos encrypted in Alibaba Cloud video encryption mode supports only the HLS format, and can be played only by ApsaraVideo Player.

For more information, see Alibaba Cloud video encryption.

Standard HLS encryption

Standard HLS encryption supports the common encryption scheme specified in HTTP Live Streaming. Standard HLS encryption uses AES-128 to encrypt the video content and supports all HLS-compatible players. You can use your self-developed player or an open-source player to play videos encrypted in standard HLS encryption mode. Compared with Alibaba Cloud video encryption, standard HLS encryption provides better flexibility but is relatively difficult to use and provides lower security.

  • You must construct a key management service to generate keys for encrypting videos during transcoding and obtain decryption keys during playback. You can also encapsulate Alibaba Cloud KMS as the key management service.
  • In addition, you must construct a token issuance service to verify players and prevent unauthorized access to decryption keys. This is a key point. If the token issuance service is not implemented properly, all other security measures are in vain.
  • The plaintext keys are transmitted between players and the cloud, making them easily intercepted.

For more information, see Standard HLS encryption.

Commercial DRM

High-end video programs must meet the security requirements of content providers, such as Hollywood. Alibaba ApsaraVideo cooperates with ChinaDRM, which has been certified by both National Radio and Television Administration (NRTA) of China and Hollywood, to launch the first cloud DRM solution in China. This solution will be commercially available soon. If you need to use this solution, contact your business manager, submit a ticket, or contact ApsaraVideo for VOD after-sales.

Video encryption summary

  • Each video encryption solution has its own advantages and disadvantages. In general, a more standard and universal solution provides higher flexibility but lower security. Select a solution based on your business scenario.

    • Security level: commercial DRM ≈ Alibaba Cloud video encryption > standard HLS encryption

      The security level of Alibaba Cloud video encryption is approximately equal to that of commercial DRM. The security levels of both Alibaba Cloud video encryption and commercial DRM are significantly higher than that of standard HLS encryption.

    • Ease of use: Alibaba Cloud video encryption > standard HLS encryption > commercial DRM

      Alibaba Cloud video encryption provides a cloud-device integrated solution that allows you to seamlessly integrate the encryption capability through simple configuration and use of ApsaraVideo Player. To use standard HLS encryption, you need to construct a key management service and a token issuance service. To use commercial DRM, you need to purchase a license and integrate the specific SDK.

    • Universality: standard HLS encryption > commercial DRM > Alibaba Cloud video encryption

      Standard HLS encryption supports all HLS-compatible players. Commercial DRM supports only authorized platforms (such as the Chrome, Safari, Internet Explorer, and Microsoft Edge browsers and the Android and iOS operating systems). Alibaba Cloud video encryption supports only ApsaraVideo Player (for Android, iOS, HTML5, and Flash).

    • Cost: Alibaba Cloud video encryption = standard HLS encryption << commercial DRM

      Both Alibaba Cloud video encryption and standard HLS encryption are free of charge. Commercial DRM requires additional license fees.

Secure download (caching)

Video applications, especially those for mobile devices (Android and iOS), often need to cache videos on or download videos to local devices. The videos stored locally must be protected from unauthorized playback or redistribution. The secure download feature provided by ApsaraVideo Player can effectively protect the videos downloaded to local devices.

Secure download is a process where asymmetric encryption is used to encrypt a video. After the video is downloaded, it is decrypted in ApsaraVideo Player SDKs. This ensures that the offline video is only played by the application with the bundleID or keystore specified in secure download settings. Main advantages:

  • After a video is downloaded, it can be decrypted and played offline and can be played only by the specified application.
  • The private key file is stored after encryption to effectively prevent theft.
  • Each video file has an independent private key on each application. When the private key of a single video is disclosed, other videos are not affected.

To use this feature, configure download in the ApsaraVideo for VOD console.