Video security is an important topic and unfortunately its gets a little techie below.
Currently we have 2 different private video options. Both will require the user be logged-in in order to access the video.
- Self-hosted. We cookie the user’s session in a transient and allow them to view a video that’s streamed through your PHP server. This URL cannot be shared, since it requires the viewer’s HTTP cookie be set to something specific and unique.
- BunnyNet private video. These videos have automatically expiring access tokens attached to them, and you can lock down the access to a specific domain (yours). So these links aren’t shareable either.
Self Hosted Private Video
Self hosted private video urls are created on the fly using WordPress nonces, meaning they need to match the user’s logged in cookie in a unique way. This means urls from self-hosted videos cannot be shared between users.
Additionally, we are working on an option to disallow direct access to these URLs which makes it difficult for users to open the url in their browser to download the video.
Bunny.net Private Video
With our Bunny.net integration, videos are served via unique expiring urls. You can also lock down access to these urls to they are only able to be viewed on your site (if there’s no referrer or the referrer is another site, it won’t load). This is using .mp4 video files.
Preventing direct access also makes it very difficult for the average user to download the video to their device.
Presto Player Pro supports HLS video streams. HLS is an adaptive video streaming format that downloads videos in small chunks. This serves several purposes. First, it’s stream quality automatically adapts to the user’s internet speed to ensure buffering is not an issue. It also has the added benefit of preventing a user from downloading the stream without using a program or browser extension.
Presto Player is fully integrated with Bunny.net’s stream service, which has dynamic quality switching. With private video, we use Expiring Token Authentication, so HLS stream links will expire after a certain period of time.
In addition, when we launch our overlays feature there will be a dynamic overlay option to display the logged in users details over the video, sorta like what the movie industry does to track down preview copies. This will discourage people from using screen recorders.
Keep in mind, nothing here is bullet-proof. Most of these security features can be worked around by either a browser extension, or just whipping open a screen recorder. Even big companies like Vimeo/Netflix/Hulu, etc. have issues stopping pirated copies of their videos. However, what we can do is layer different security features to make it a pain to do so, and keep honest people honest.