Security features for live streams in Wowza Video

The Wowza Video™ service offers a comprehensive set of security features designed to safeguard the delivery and access of streams throughout the entire process, starting from capturing with a camera or source encoder, undergoing transcoding, and, ultimately, generating streams for viewer consumption in a player. 

This article outlines which security features are available for different types of live streams. It also points to instructions for implementing the security features using the Wowza Video REST API or the Wowza Video user interface.

Security features for HLS live streams using Wowza CDN on Fastly


The following features are available to secure an HLS stream that uses Wowza CDN on Fastly stream targets in Wowza Video.

User authentication for source connection on Fastly

User authentication for HLS streams provides a secure connection from the source encoder or camera into the ingest origin server and prevents third parties from connecting to and altering your stream. When user authentication is enabled on a push stream, Wowza Video requires the source encoder or camera to use a username and password associated with the stream to establish a connection. You can also configure user authentication on a pull stream so that the source encoder or camera uses values set on the encoder side to connect to a live stream or transcoder in Wowza Video.

Wowza Video generates default user authentication values for you for push streams. To view and edit the authentication for a push stream:

  1. Go to Live streams in the navigation.
  2. Select a live stream.
  3. Click the Security tab. A default username and password are generated for you and you can view them in the Authentication section.
  4. To change the default values, click Change source username/password and enter new values.
  5. Click Save changes.

You can also use authentication for pull streams like IP cameras. To configure:

  1. Go to Live streams in the navigation.
  2. Click +Add New.
  3. Select a live stream Type to configure. 
  4. Add a Title and Region.
  5. Select an encoder or IP camera for the Stream Input Type, like IP Camera.
  6. Enter a source URL value that includes authentication information for the source encoder or IP camera, such as username and password.
  7. Complete creation of the live stream.
Note: Refer to documentation for your encoder or camera for information on the syntax of the source URL and available methods of source authentication. Authentication information included in the source URL can only contain alphanumeric, period (.), underscore (_), and hyphen (-) characters. The source URL for your camera or encoder must include a publicly accessible hostname or IP address.

See this article to configure user authentication for streams using Wowza CDN on Fastly targets through our Wowza Video REST API:

SSL for playback on Fastly

After Wowza Video transcodes (or passes through) encoded live source video, it passes the video stream through stream targets. Those targets deliver the stream to viewers, such as through a hosted webpage or a direct playback URL.

Secure Socket Layer (SSL) can provide secure and encrypted HTTPS connections as a stream moves through the network connections from stream targets to playback destinations. When a specific stream target property is enabled, Wowza Video uses SSL to establish a handshake for encrypting HTTP connections. For streams using Wowza CDN targets, you can choose to deliver streams to players for playback using SSL and require the player client to use HTTPS for playback.

Encrypting connections between servers and clients using SSL and HTTPS prevents data from being intercepted and manipulated in transit and prevents third parties from altering a stream as it moves between servers. As of 2018, certain browsers warn users against websites with content served over unsecured HTTP connections. Configuring SSL for your HLS streams can help secure streams and avoid browser warnings.

See this article to configure SSL playback for streams using Wowza CDN targets on Fastly through our Wowza Video REST API:

Note: You can only enable SSL playback through the Wowza Video REST API. 

Geo-blocking for playback on Fastly

Geo-blocking through Wowza Video allows you to selectively allow or block access to Wowza CDN on Fastly stream targets to control where a stream can be viewed. You can use geo-blocking to specify which countries or regions are allowed or which countries or regions are blocked. You can also allow streaming at specified IP addresses even if they're within a blocked location.

See the following article to configure geo-blocking for streams using Wowza CDN on Fastly targets through our Wowza Video user interface:

See the following article to configure geo-blocking for streams using Wowza CDN on Fastly targets through our Wowza Video REST API:

Referer policy for playback on Fastly

Setting the referer policy through Wowza Video allows you to selectively allow or block access to streams, depending on the domain that requests access. When you enable and configure the referer policy, clients and players requesting access to the stream must send a Referer header and must meet the policy requirements you've set for the stream target.

For more information about the Referer header, see the HTTP specification.

See the following article to configure the referer policy for streams using Wowza CDN on Fastly targets through our Wowza Video REST API:

Note: You can only enable and configure the referer policy through the Wowza Video REST API. 

Token authentication for playback on Fastly

Token authentication protects streams using Wowza CDN on Fastly targets by requiring a token, which is hashed and appended to the playback URL, for viewer access. Token authentication protects streams by ensuring that they are accessed only by viewers who have the token, preventing playback URLs from being shared by unauthorized users and protecting your stream from player hijacking attacks. Use token authentication to make the stream playback URL unavailable after a certain length of time, to limit access to approved IP addresses, or apply other restrictions.

To enable and configure token authentication through the Wowza Video user interface, see:

See this article to configure and add token authentication for streams using Wowza CDN on Fastly targets through our Wowza Video REST API:

AES-128 encryption for playback on Fastly

AES-128 encryption protects streams using Wowza CDN on Fastly targets by requiring devices to provide a matching key before a stream can be played. Wowza Video uses the external method of AES-128 encryption. When you use the external method, encryption keys are delivered to devices from an external URL.

To configure AES-128 encryption for HLS streams using Wowza CDN on Fastly targets through the Wowza Video user interface, see:

See the following article to configure AES-128 encryption for HLS streams using Wowza CDN on Fastly targets through the Wowza Video REST API:

DRM (digital rights management) 

Digital rights management (DRM) technology provides a way, through encryption, for content creators to protect copyrights and unauthorized distribution of their digital media. The Wowza Video REST API provides integration with EZDRM, a third-party digital rights management (DRM) service you can use to protect live stream content from unauthorized viewing.

Note:
  • To protect streams using EZDRM, you must have an EZDRM account, configured appropriately for the device types you want to stream to. For FairPlay, you'll need verification from Apple that you're approved to use Fairplay.
  • Refer to EZDRM and their documentation for more information about EZDRM account setup.
  • We recommend engaging with Professional Services for assistance with setup. You can schedule a call.

Currently, Wowza Video supports the following EZDRM key management systems with live streams:

  • EZDRM FairPlay Streaming – Supports HLS playback for content to Apple devices with native support for the HTML 5 player in macOS Safari browsers or Safari 11.3 on iOS.
  • EZDRM Universal – Supports MPEG-DASH playback for Google Widevine and Microsoft PlayReady devices and platforms using a linked Common Encryption (CENC) key.

While you can implement DRM for Apple (FairPlay) and Widevine/PlayReady individually, in most cases you'll want to complete both of the following tasks to ensure your stream is protected on as many devices and platforms as possible:

Note: You can only enable and configure DRM through the Wowza Video REST API. 

More resources