Stream Security Settings
The <StreamSecuritySettings> block defines access protection mechanisms for streams, including token-based authorization and domain-level playback restrictions. These settings apply exclusively to Storm Player Core and Storm Player UI connections (storm-mse and storm-hls harnesses).
Available in: mono, edge
Sample Configuration
xml<StreamSecuritySettings>
<TokenProtection enabled="true">
<Secret>mysupersecret</Secret>
<HashAlgorithm>sha256</HashAlgorithm>
<TokenLifespan>10</TokenLifespan>
</TokenProtection>
<DomainAccessRights>
<AccessRight type="allow" domain="*" />
</DomainAccessRights>
</StreamSecuritySettings>
Token Protection
Token Protection controls access to video playback and player embedding. Without this protection, the player embed code can be copied and embedded on any other website without restriction.
| Parameter | Description | Default |
|---|---|---|
TokenProtection:enabled | If set to true, token-based authorization is required for Storm Player Core and Storm Player UI connections. | false |
<Secret> | A shared secret string used as part of the token hash generation. | — |
<HashAlgorithm> | Hash algorithm used for token generation. | — |
<TokenLifespan> | Token validity period in minutes. | — |
Token Generation
A token must be generated on your backend. It is created by combining the shared secret with a timestamp (a 10-digit Unix epoch time in seconds) and hashing the result.
php<?php
$sharedSecret = "mysupersecret";
$timestamp = time();
$data = $sharedSecret . $timestamp;
$token = hash('sha256', $data);
echo "Token: " . $token . PHP_EOL;
echo "Timestamp: " . $timestamp . PHP_EOL;
Assigning the Token to the Player
The generated token and timestamp must be passed to the Storm Player configuration:
javascriptconst streamConfig = {
stream: {
// stream configuration
},
settings: {
security: {
type: "token",
token: "3f7af6d8a2df9307902f62ff16f1678466",
timestamp: 1721654321
}
}
};
const storm = new StormPlayerCore(streamConfig);
Usage with Third-Party Players
Token protection can also be used with third-party players (e.g. FlowPlayer, JW Player, Video.js) by appending the token as a query parameter to the Generic HLS playback URL:
texthttp://{SERVER_HOST}/generic_hls/{APP_NAME}/{STREAM_KEY}.m3u8?token=3f7af6d8a2df9307902f62ff16f1678466
Where {SERVER_HOST} is your server's hostname, {APP_NAME} is the application name, and {STREAM_KEY} is the stream key.
Domain Access Rights
Domain Access Rights provide an additional layer of access control by restricting which domains are allowed to embed the video player. Unlike Token Protection, this mechanism does not require any backend-side implementation.
The configuration supports two rule types: allow (permits access) and deny (blocks access). The wildcard character * can be used to match all domains or subdomains.
a) Allow only a specific domain:
xml<DomainAccessRights>
<AccessRight type="deny" domain="*" />
<AccessRight type="allow" domain="acme.com" />
</DomainAccessRights>
b) Allow a specific domain and all its subdomains:
xml<DomainAccessRights>
<AccessRight type="deny" domain="*" />
<AccessRight type="allow" domain="acme.com" />
<AccessRight type="allow" domain="*.acme.com" />
</DomainAccessRights>
c) Block a specific domain:
xml<DomainAccessRights>
<AccessRight type="allow" domain="*" />
<AccessRight type="deny" domain="acme.com" />
</DomainAccessRights>
Domain-based access control relies on the browser-provided origin header. For enhanced security, use it in combination with Token Protection.
All parameters support environment variables using the ${EV:VARIABLE_NAME} syntax. Fields locked by environment variables cannot be modified via the REST API.
If you have any questions or need assistance, please create a support ticket and our team will help you.