Securing your origin for Media and Entertainment workflows

Media streaming applications face increasing security challenges from unauthorized content access and redistribution. We’ll examine common security threats to streaming workflows and provide practical solutions to protect content using Amazon Web Services (AWS).

Security challenges in media streaming

When your streaming application lacks proper security measures, unauthorized users can:

Access and redistribute your content without permission
Embed your streams in unauthorized websites
Use automated programs to scrape your content

These security breaches can lead to:

Customer churn
Increased infrastructure costs
Degraded application performance

This blog is the second in our series about origins for media and entertainment workflows. Previously, we covered how to select the appropriate origin for your workflow. Now, we’ll focus on securing your origin and content.

Protection methods against unwanted access

We’ll examine three primary unauthorized access points and their corresponding solutions:

Cross-Origin Resource Sharing (CORS) and direct origin access
iFrame embedding
Uniform Resource Locator (URL) sharing

1. CORS and direct origin access

To protect your origin from direct access you should make sure your client facing application or website will only request the video stream through your Content Distribution Network (CDN). The AWS CDN service is called Amazon CloudFront (CloudFront).

Whether you use Amazon Simple Storage Service (Amazon S3), AWS Elemental MediaPackage (MediaPackage), or a custom origin, you can add your origin to CloudFront. For detailed instructions read the following, Configure secure access and restrict access to content. By following the documentation your requests should now be served only by CloudFront and not through your origin.

Let’s make sure your CORS rules for your chosen origin only allow domain names you want to have access to your origin. The following image depicts how a correct CORS rules will secure your video streams.

The image shows a diagram of a common video delivery workflow in AWS. Two domains (mysite.com and copycat-site.com) make requests to Amazon CloudFront to access the content hosted in the origins behind CloudFront. By using CORS rules correctly the origins will deny access to copycat-site.com domain and allow requests to my-site.com domain.

Figure 1: Diagram showing CORS rules securing access to video streams.

The following is an example of an Amazon S3 CORS policy that allows the method GET for the domain “my-site.com”.

<?xml version="1.0" encoding="UTF-8"?>
<CORSConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
    <CORSRule>
        <AllowedOrigin>https://www.my-site.com</AllowedOrigin>
        <AllowedMethod>GET</AllowedMethod>
        <MaxAgeSeconds>3000</MaxAgeSeconds>
        <AllowedHeader>Authorization</AllowedHeader>
    </CORSRule>
</CORSConfiguration>

For more information on how to setup CORS rules and policies, read the following documentation for Amazon S3 CORS and MediaPackage CORS.

2. iFrame embedding

In web pages it is very common to use nested frames (iframe), especially to play videos, since it reduces the load time of the web page and makes deployment easier. With this type of approach developers just embed the player frame and point it to the desired video.

An iframe is an HTML tag, the <iframe> tag, which allows you to embed an HTML page (specifically, “a website”) on your HTML page (that is, “your website”). You see iframes all the time when using the web without even realizing. For example, the YouTube video embedded on a news website you may have visited. That’s an iframe. The Facebook or Twitter post, which is embedded within a blog, could also be an iframe. They are all HTML website pages embedded on another HTML website page.

In the following example all four videos inserted in the first top left webpage are inserted using iframe tags. When the user clicks one of the videos this opens the video (second image to the right) as defined in the iframe tag that embedded the video in the website. The “real” page where this video is actually hosted is in YouTube (the lower center image). You can see it differs from the embedded page shown in the top right image.

Image with 3 screenshots explaining how videos inserted using iframe tags work. When the user clicks one of the videos this opens the video (second screenshot). The “real” page (third screenshot) where the video is actually hosted in YouTube.

Figure 2: Use of iframes embedded in websites.

To prevent unauthorized iframe embedding:

Implement X-Frame-Options in security headers. For more information, see the Mozilla Developer Network documentation.
Use CloudFront security header responses. For a detailed explanation, read Adding HTTP security headers to CloudFront responses.
Set appropriate X-Frame-Options values:
1. Use SAMEORIGIN if your iframe has the same domain as the parent
2. Use DENY to prevent embedding by anyone
Consider adding JavaScript-based embed buster code to navigate back to your page if someone attempts to exploit your iframe embedding.

3. URL sharing

To address URL sharing, you can employ several methods:

a. Tokenized URLs

By making use of tokenized URLs, the requests will only be served when a specified token is provided. Usually, it will be a hash that encapsulates certain information and will commonly have a short expiration date to prevent extended usage.

Examples of what a common implementation will look like:

https://example.com/hls/playlist.m3u8?token=4180da90a6973bc8bd801bfe49f04a&expiry=1526231040535

and

https://example.com/hls/segment001.ts?token=4180da90a6973bc8bd801bfe49f04a&expiry=1526231040535

Any request trying to acquire your URL, (such as our example, https://example.com/hls/segment001.ts) will result in a 403 HTTP error code.

Benefits of using tokenized URLs:

Time limited
Prevents static hotlinking

Drawbacks of using tokenized URLs:

Can be shared
Can be scraped

b. Session-based tokens

To enhance the URL tokens, it is possible to create session-based tokens that are tightly linked to a specific user. While a generic token might prevent direct access to the resources, a session token will prevent access to the resources outside the context of your site or application. The token will validate the user requesting the content has for instance, the same IP address, User-Agent, JS generated hash and other user specific information.

Benefits of using session-based tokens:

Additional layer of security
Access Control tied to a specific user
Allows for tracking and analytics
Allows for expiration and revocation

Drawbacks of using session-based tokens:

Added complexity
Can impact performance of the application
May not be supported by third-party players or CDNs

For a robust implementation, consider using AWS Secure Media Delivery at the Edge.

c. Add Login or Paywall

Streams that are behind a user login or paywall are much less likely to be scrapped or played externally. When this is combined with user specific tokens, it can provide a fair level of protection.

Benefits of adding a login or paywall:

Reduces unwanted public traffic
Streaming authentication is tied to an actual user session

Drawbacks of adding a login or paywall:

More complex
Increases barrier to engagement

To improve your application authentication workflow read Improve your app authentication workflow with new Amazon Cognito features. For a solution to move your paywall to the edge, review our Guidance for Moving Your Paywall to the Edge on AWS.

d. Use Secure Hypertext Transfer Protocol connections

Always use Secure Hypertext Transfer Protocol (HTTP) connections, also known as HTTPS. It is a secure version of HTTP that encrypts communication between users and your website. HTTPS uses Transport Layer Security (TLS) or, formerly, a Secure Sockets Layer (SSL) to encrypt information sent between the user and the website.

HTTPS connections verify the identity of the website to ensure the user is communicating with the real website. This confirmation:

Protects against eavesdropping and identity theft
Verifies the website’s identity
Ensures data integrity

Image showing the SSL/TLS handshake communications in 6 setps. 1 - Client sends "ClientHello) to server (SSL/TLS version and cypher suite) 2 - Server responds to browser with "ServerHello" (Highest SSL/TLS version and cipher suite) 3 - Server presents its Digital Certificate to client 4 - Client validates the server certificate and sends an encrypted premaster secret to server 5 - Server decrypts the premaster secret and computes the session key 6 - Session connection is established between client and server A secured connection is established.

Figure 3: SSL/TLS communication handshake diagram.

Benefits of using HTTPS connections:

HTTPS provides end-to-end encryption
Establishes trust and credibility
Assures compliance and regulations (PCI DSS, HIPAA, GDPR , NIST, ISO 27001)
Better Search Engine Optimization (SEO)

Drawback of using HTTPS connections:

Performance impact in latency
Configuration complexity in managing SSL and TLS certificates
Legacy compatibility
Increased server load

It is important to note the benefits of HTTPS connections typically outweigh the drawbacks, especially for applications handling sensitive information or transactions. The increased security and trust provided by HTTPS has become essential for modern web application.

To configure HTTPS with CloudFront, read about how to Use HTTPS with CloudFront.

e. Digital Rights Management

Having just HTTPS connections between the users and your website will not prevent users from downloading the video content, copying it and then re-distributing. If your requirements and business case must stop users from downloading and redistributing your content, then you should look at applying Digital Rights Management (DRM) to your video streams.

The AWS Media Services that are able to apply DRM are MediaPackage and AWS Elemental MediaConvert (MediaConvert). These services make use of the Secure Packager and Encoder Key Exchange (SPEKE).

Customers are responsible to deploy and integrate the SPEKE API. To apply DRM to your video streams, review Content encryption and DRM in AWS Elemental MediaPackage and Protecting your media assets with encryption and DRM using AWS Elemental MediaConvert.

The following (Figure 4) is an example DRM workflow.

Image showing the video delivery workflow in AWS using SPEKE API to securely exchange encryption keys to encrypt video during packaging and video encoding. Video player requests decryption keys directly from the DRM license server.

Figure 4: Video workflow using DRM with SPEKE.

Benefits of using DRM:

Prevents unauthorized content downloads
Enforces content licensing rules
Supports different playback platforms
Enables secure offline playback (when configured)
Provides detailed content usage analytics

Drawbacks of using DRM:

Privacy concerns
Technical complexity
Added cost

Conclusion

Securing your media streaming origin is crucial for protecting your content and maintaining customer trust. By implementing a combination of our described methods, you can significantly enhance your application’s security posture.

We recommended starting by configuring Amazon CloudFront and enable HTTPS to serve your content. Implement proper CORS rules and use tokenized URL’s with session-based validation. Consider also setting up iframe protection.

As a best practice we suggested layering multiple security methods for comprehensive protection. You should regularly monitor and audit security measures, while balancing your security requirements with the user experience.

For next steps we recommend assessing your current security posture, identifying any gaps in your content protection strategy and Implementing the security measures described in this blog. You will also want to monitor and adjust your security configuration as needed for the best user experience.

For more information on AWS media solutions, visit the AWS Media & Entertainment page or contact an AWS Representative to know how we can help accelerate your business.

AWS for M&E Blog