Protection - Video CDN [EN]
Securing your content is a critical component of modern content delivery infrastructure. While in an ideal world protection mechanisms might not be needed, the reality is different: content theft, Hotlinking, scraping, and abuse are ongoing challenges that must be addressed proactively.
This section provides a technical overview of the key protection mechanisms supported by our platform. Each is designed to mitigate specific categories of threats, allowing you to maintain control over your content distribution while minimizing the risk of unauthorized access or misuse.
Whether your goal is to prevent unauthorized embedding, enforce geo-restrictions, limit the reuse of signed URLs, or detect automated access patterns, the tools described here offer flexible and interoperable solutions tailored to real-world risks.
Hotlinking in a nutshell
Hotlinking refers to the unauthorized use of media files (such as video, images, or audio) hosted on one website by embedding them on another site. In the context of video content, this means a third-party website displays your video files to its own users — directly streaming them from your CDN or origin — without permission.
This becomes a serious issue when such a third party not only avoids the cost of maintaining its own video library but also monetizes your content by inserting its own advertising. Meanwhile, your site bears the burden of the bandwidth and infrastructure costs, yet sees reduced traffic and fewer ad impressions — directly impacting your revenue and sustainability.
In its simplest form, hotlinking undermines your business model by exploiting your content and infrastructure. While the hotlinking site earns profit from redistributed content, you receive no credit, control, or compensation. This type of abuse is particularly harmful for media-based businesses that rely on user traffic and ad monetization to cover operational costs.
Technically, hotlinking occurs when an HTML element, such as <video>, <img>, or <iframe>, references a media file directly from your CDN using its URL. Browsers fetch this resource from your infrastructure but display it within the UI of the unauthorized site.
This behavior is indistinguishable from a legitimate visitor in many respects — the same IP ranges and headers may be used.
Anti-Hotlinking Strategy
Our platform provides an extensive range of protection mechanisms designed to counteract hotlinking. These include verifying the source of requests to ensure that visitors access content through your site (in different ways), urlspersonalization for your site visitors, controlling the validity period of content urls, geography restrictions for targeting where your content is available from, enforcing transport security, controlling the browser-side content usage, techniques that detect and mitigate scraping, content leaking, or unauthorized mass access.
At the same time, it is critically important for us to preserve as much legitimate traffic as possible. In many cases, distinguishing between abusive and valid requests becomes a non-trivial challenge. The protection system operates using non-linear, adaptive logic that evaluates multiple signals in context. Rather than making decisions based on a single factor, the system aggregates and analyzes a combination of indicators to assess legitimacy — balancing on the edge of statistical variance in complex cases.
The effectiveness of our protection increases significantly when different mechanisms are used in combination. In some cases, this is due to technical dependencies between components (like url signing), while in others, it is simply the result of practical engineering considerations (for instance, the usage of url encryption). For best results, we strongly recommend reviewing the guidance on how different features interact, as noted throughout the documentation.
Each protection technique is designed to complement others, forming a layered and cohesive security framework for your video content delivery.
Additional recommendations for protection
Since bots can emulate users’ activity on the site and get valid links to pass CDN security checks, you need to secure bot identification on your website, not only within the CDN. For instance, set the web server access logs check-up for the number of requests from a single IP.
Secrets
Secret is a sensitive token, which is used for generation url signatures and encryption urls.
The system supports two Signature secrets simultaneously: a primary and an alternative.
Both secrets are treated as functionally equivalent: each can be used to validate the signature or decryption. The validation is considered successful if it succeeds with either of the secrets.
Bypass protection for Googlebots
In certain scenarios, strict content protection mechanisms may interfere with legitimate access—most notably, from search engine crawlers. This can unintentionally block indexing or lead to degraded visibility of your content.
To address this, the system provides an option to bypass all previously mentioned protection checks specifically for Googlebot. This ensures that content remains accessible for indexing without compromising user-facing security policies.
Googlebot crawlers differ from typical HTTP clients through identifiable characteristics, for example, their unique User-Agent headers. However, relying on headers is not secure, as they can easily be spoofed by malicious actors.
To ensure accurate detection, our system verifies crawler authenticity based on the official list of IP ranges published by Google. Specifically, it references the following endpoints:
https://developers.google.com/search/apis/ipranges/googlebot.json
https://developers.google.com/search/apis/ipranges/special-crawlers.jsonBy validating requests against these trusted IPs, we guarantee that only legitimate Google crawlers receive the bypass privileges, maintaining security while ensuring seamless indexing.
DDoS Protection
Our CDN is architected to naturally resist low- to mid-scale DDoS attacks due to its distributed design and large-scale infrastructure. The sheer volume of capacity across our global network makes it impractical for amateur-level attacks to have any meaningful impact. Generating enough load to disrupt service would require substantial resources well beyond typical threat levels.
For clients concerned about targeted or high-intensity attacks, we offer additional layers of protection and mitigation strategies. Please reach out to our technical support team. We’re open to discussing your project’s needs and tailoring solutions that ensure resilience under any threat level.