FLV Hotlink Protection
 

What's the best solution to prevent other sites from hotlinking my .flv video? I have some websites from Turkey and China embedding their flv players, but hotlinking my videos on their websites. Are there any good scripts to take care of this? Or alternatively, could this be safely taken care of with .htaccess by any chance?

only allow linking from your domain only

how do I do that? I know how to do image files, but not sure how to take care of .flvs :(

My recent research has led me to the conclusion that hotlink protection for Flash video files is quite difficult as Flash video players do not send referrer information when they access the video. If I'm not mistaken, .htaccess depends on this referring information to determine whether or not the video is being hotlinked.

Your best option, given the above information is accurate, is to seek out and implement some streaming video solution as they normally afford you hotlinking protection.

Outside of this, you will probably want to obfuscate the link to your videos (such as using www.domain.com/stream.php?video_id=X as the URL for the video) and/or implement some solution where the names of your video files are changed at certain invervals.

Hopefully someone more knowledgeable than myself will chime in.

Use wowza

Dump for the htaccess answer.

It is difficult....I change the name of my files periodically.

That's what I resorted to now that I've seen how much fucking bandwith they'd wasted. Especially the Chinese fuckers :321GFY

I'm still hoping there's a script that works well enough for this :mad:

There are many modules for Apache, lighttpd, etc. that do this for you.

.htaccess (mod_rewrite used for referrer blocking) is not an option for blocking FLV's, or really any video whatsoever.

It depends on your server setup and configuration which modules can be used, and how hard said modules are to implement.

The most basic and easiest way is if the videos are only to be accessed from your domain(s), and you can make a rule such as "unless the visitor has visited page X in the last 15 minutes, deny all video loads for them".

From there, you can do more complicated things such as have your application link to videos with a secure token in the URL, etc. This would require some form of application modifications however. More and more apps are starting support this.

If you also need to support embeds in random websites, it gets a lot harder to "filter" good traffic from bad. You can setup mod_geoip to do most of what you like most likely, but we have run into some customers who want quite a bit of complex rulesets made - so sometimes it can be difficult.

i tried this via htaccess

direct link http://www.domain.com/video.flv (blocks it)
wget link (blocks it)
embed from a player on another server (blocks it)
download manager (blocks it)

mod_secdownload...

all flvs in one folder and change the folder name periodically rahter than each file's name, better yet if your script can do this

I'm gonna give this a try. Being a complete newb, I take it "domain" is to be replaced with my domain name (the only domain name that will be allowed to play these files) and trailing slashes retained as in example, right? i also take it this .htaccess file is to be uploaded in the directory where files are stored, right?

Fris, I've tested some of the things and it seems to work fine on those. Will do some more testing, just had quick question - what line would I need to add to it in order to allow one more external domain name to play back the videos (in other words, both local plus one more domain name would be allowed to play it back).

Thats because your ruleset denies all requests without an HTTP_REFERER,
you are going to block a lot of legit requests with that.

There are several ways to do it.

Of course, since I also run tube sites I am not interested in telling you how and make you a viable competition.

Hire a coder/server admin or research it by yourself.

what script you use, that don't have hotlink protection?

doesnt this only permit domain.com to show the videos or else it blocks it?

if not domain.com as refer then 403?

i only want to display it on domain.com

There is no way to protect FLV files on 100%. Every method (including cookies, obfuscated names etc) can be easily hacked if someone needs it.

So if you are a tube owner - get ready to be ripped off.

You are right about that.
The problem with flv players is that they don't send a HTTP_REFERER (just like the old movie problem) and you will be blocking legitimate requests.
This is the reason scripts like antihotlinking, traffic guardian and the like were created.

I don't know how much bandwidth is costing you but check out LinkSentinel or contact them about your needs. They do custom work as well.

Flash ALWAYS sends player/verion information along with it, including referer header information [at least, the last time I checked]. It's not possible to remove this from within the flash itself, the headers are fixed.

You don't want to change your filenames, what you want to do is this.
When you embed your videos, feed a hash into the player.
This hash will be either a] time locked, or b] 1 time only [ie, stored in a db]
The player, when it goes to load the video, will send the original hash, and modified [xoring is easiest] version of the hash.

When the request comes to play the file, if the first hash and second hash aren't present or aren't matching as they should be, the file simply doesn't play.

There are other steps to take from here, keeping your hash system well salted, encrypting your SWF file [to prevent your xor algo getting cracked]

This is not the only way. There are quite a few others, such as:
1 - Set a session when the visitor hits your page. No session, no play.
2- Whitelist the person's IP when they hit your page, for ~30 seconds to play a video.
No whitelist, no play.

There are heaps of ways of doing this :)

Well, as a general rule, if you can play it, you can steal it, but there are good ways to prevent hotlinking.

I had to double check to make sure, I'm not seeing it:
Yeah, this is pretty much the best idea* as long as by session you're not referring to a browser session.

* - it can be tricked with frames so you will need to break out of frames
and with image preloading, you can use the standard mod rewrite protection for this.

That's a browser request.
Check the headers. Just cap'd this.

You *cannot* unset x-flash-version, UA-CPU or Referer in flash.

I personally like the rolling hash + timebombed URLs. If you make them last for say 5 plays or 1 hour, people add them to their tubes and forget about them, then they end up w/ broken URLs ;)

I'm not a tube owner. I own a blog and have three videos on it that I'm hosting myself. I don't pose a "competition" threat to anyone here. I'm focusing more and more on mainstream and blog in question is NOT an adult blog either. However I prefer to host my content myself, including pictures and videos so I don't have broken shit on my pages if owner of the video deletes it (even if we're talking youtube or liveleak). That's why I'm hosting my own videos. But fuck - I get a lot of bandwidth wasted by Chinese and Turkish fuckers and get nothing out of it in return, that's why I've asked if there was a way to eliminate this BW theft.

Not a tube owner, just an innocent blog with a couple of posts that contain videos is all. I have never owned a tube and don't plan on. However even if one of your videos gets hotlinked by a busy Chinese site, it eats up a lot of BW. I'm looking around for a solution to help me eliminate it.