I have a website that streams some tv channels. All are HLS streams.
SO, for each m3u8 file, we attach an authentication token (Ex. xxxx.m3u8?t=xxxxxx&e=xxxxx). this token will work for all channels for few minute.
With my current week security, all unauthorized website owners are curling any channel page and extracting that auth token to use with my static m3u8 files.
Here is my player code,
<div id="oWhrSRcF4qjyr0x"><div>
<script type="text/javascript">
var logo = "http://example/logo.png
var link = "http://example.com
jwplayer("oWhrSRcF4qjyr0x").setup({
"autostart":true,
"androidhls":"true",
"stretching": "exactfit",
"file":"http://example.com/stream.m3u8?t=xxxxxx&e=xxxxx",
"logo": {"file":logo,"margin":"-0", "position":"top-left","hide":"false","link":link},
});
</script>
In the above player, "file":"http://example.com/stream.m3u8?t=xxxxxx&e=xxxxx",
keeps on changing for few minutes.
What i want to do here is obfuscating the entire player element not just the auth token from my server using php. i am aware that obfuscated code can be revealed easily, but here the token keeps on changing. i dont want a simple php file on their site to get auth token from my site.
Also, in my opinion, they cant use entire page as it contains my site logo.
I would be glad if anyone can help me with these.
- protecting my auth token.
- prevent curling my player.
Also, i tried to prevent curling my player by adding a session id to all links, but people are smart to bypass it, also i tried to obfuscated with Dean Edwards 's Packer, Its not a hiding everything. i just want to make the token not to be extracted alone.
So, please suggest any tool like that.