Securing Your Content

Blog 6 min read | Aug 9, 2010 | JW Player



JW Player supports industry standard DRM (Digital Rights Management) to help secure your content. JW Player 7.5+ supports Clearkey, Widevine, FairPlay and PlayReady DRM. Use this Stream Tester on the developer site to test DRM functionality with JW Player in HTML5 or Flash mode.

DRM solutions are available for both HLS and DASH adaptive streaming and are configurable via our Javascript API. To learn more about DRM configuration & setup, check out this article on our support site.


Since the Napster trials in late 1999, content producers have become increasingly aware of intellectual property issues. Even then, the Recording Industry Association of America (RIAA) tried to send the message that the Internet had made widespread piracy possible, and that it was leading to enormous losses in revenue for the music labels and artists.

In addition to direct losses from piracy, content producers today face an even greater challenge when it comes to controlling how their work is distributed. It’s quite common for anyone who admires your video to simply repost it on their site. Generally, this isn’t a big deal – it’s flattering and it provides a mechanism for increasing the visibility of your work. Unfortunately, this redistribution can also lead to a poor perception of your work and it can also dramatically increase your web-hosting costs.

With that in mind, I’d like to introduce “The Golden Rule”:

Anyone who can watch your video can steal your video.

It is very easy to become paranoid about protecting your content. We’ll try to offer a few simple steps that you can take to defend against most unauthorized uses, however you will need to take into account the technology you have available, the time amount of time you can invest in setting everything up, and the amount of money you’re willing to spend.

Security for Individuals

The most basic form of protection is obfuscation, which can be accomplished on the web with JavaScript. In order to watch your video, a viewer’s computer must first know its location. As a result, the location is generally printed right in the source code of the page with the video. Using JavaScript, it’s possible to do some complicated text replacements so that the actual address isn’t immediately visible. As easy and useful as this seems, most web browsers offer an interface for inspecting web traffic, which will always display the non-obfuscated address, thus rendering this solution ineffective.

This is a prime example of client-side security, which means that the actual security measure is written into the software running on the user’s computer. However, given the limitations of this type of security, most content protection relies on a completely different type of security: server-side security. Server-side security is much more reliable as regulates access at the source and only relies on hardware you control.

The most widely used form of server-side security is web authentication. If your web browser has ever popped up a dialog box and asked you for a username and password, then you’ve used web authentication. The best part is that most web common servers have this functionality built in, which makes it incredibly cheap and easy to implement. In fact, configuring web authentication can be as simple as creating a text file. But be careful – it’s very easy to give users access to content they shouldn’t be able to see and it can become time consuming to manage. In fact, web authentication is relatively insecure in practice as individuals often share their usernames and passwords. For this reason, it’s not recommended in an organizational setting, but it’s perfectly appropriate for sharing between a few trusted individuals.

Security for Small and Medium Sized Organizations

Just like web authentication is the de-facto security mechanism for individuals running their own web servers, temporary URLs are the de-facto security mechanism for organizations using a content delivery network (CDN). Sites using temporary URLs generate a new link to a video file every time a user loads the page. This link is only valid for a short period of time or a limited number of accesses. Once it has expired, individuals who want to view the content will have to request a new link. This makes it incredibly effective at protecting against leechers (people who copy-and-paste your embed code into their site), since the link that’s copied will eventually expire. In fact, many video hosting services, such as Bits on the Run and Amazon Web Services’ CloudFront readily promote this.

Temporary URLs become even more effective when uses in combination with encrypted streams. This prevents malicious individuals from intercepting web traffic on your network in order to reconstruct the video, since only the viewer at the end will have the credentials to decrypt the video. The most commonly used implementation is Adobe’s Flash Media Server (FMS) with encrypted RTMP. While individuals have created software that allows viewers to extract the video from these streams, they are not widely used, in large part due to legal action by Adobe. Both Bits on the Run and Cloudfront offer encrypted RTMP streaming via FMS, and it works in combination with their temporary URL mechanisms.

Security for Large Organizations and Institutions

No discussion of content security would be complete without mentioning digital rights management, or DRM. While DRM is the most secure form of content protection, it’s really only suitable for large organizations, owing to its cost and complexity. DRM solutions use special cryptographic algorithms when encoding to ensure that only individuals with the proper credentials are able to decrypt and view the content, and often only after being authenticated by a DRM server or for a specified period of time. Not surprisingly, vendors charge a pretty penny for the software ($40,000+ in licensing fees are not uncommon), and this says nothing about the cost of maintaining and running the necessary server hardware.

Additionally, DRM blocks many legitimate users, especially those using mobile devices. For example, Apple’s DRM solution for audio, video, and eBooks, FairPlay, only works on Apple devices or computers running QuickTime. Microsoft’s PlayReady DRM has been supported by their cross-platform Silverlight player since version 2, but only after they abandoned their PlaysForSure DRM solution, stranding many users with unplayable content. Finally, Adobe’s Flash Access DRM has only recently become available to clients with the release of Flash 10.1, so it’s ability to deliver secure content to clients is still limited.


Hopefully you are now aware of the need to protect your content, and feel equipped to make a decision about what type of protection best suits your needs. Clearly, the challenges associated with securing original content online have continued to increase as people have sought out ways to circumvent protective measures. And so while technical solutions to protect intellectual property continue to grow more complex, you should always remember one thing: that your videos are your property and you have a right to protect them.