Secure Media: Protect Flash files from hotlinking by other sites

1. Introduction

The Apache url rewriting utility is an easy and effective tool to secure image files against bandwith theft. Unfortunately this method doesn't work with flash swf files as the <object> tag doesn't submit a referer when requesting the swf file from the server. 

The solution to this problem is the Neodelight Secure Media System - it allows you to protect your swf files or any other filetype from bandwith thievery and hotlinks. 

This software is released under the GPL General Public License. It is free to use and open source. 

Anybody is invited to further improve the system, so please email me (fm@neodelight.com) if you have any ideas, bug reports, suggestions or questions. 


--------------------------------------------------------------------------------

2. Implementation
Add these lines to your httpd.conf to redirect any requests for secured swf files to the neodelight secure media script: 

<IfModule mod_rewrite.c>
  RewriteEngine on
  ^/(.*)\.SM([a-fA-F0-9]{32})\.swf$ /securemedia.php?file=$1&key=$2
</IfModule> 

Move the swf file you want to protect to a directory not accessible by a browser, default is "/var/www/securemedia/".

The swf files you want to protect have to be in the same subdirectory of the secured dir as they were on your website. 

Example: If you want to protect the file http://www.myserver.com/mydir/flash.swf then you'll have to put it to /var/www/securemedia/mydir/flash.swf

Now put the files CSecureMedia.php and securemedia.php into your webservers root directory, for example http://www.myserver.com/securemedia.php 

You can now access the secured file by its secured url: 

http://www.yourserver.com/path/file.SM012345678900123456789012345678901.swf  
You'll have to replace "01234567890123456789012345678901" with the md5() of your keystring together with the current date in the format "YYYYMMDD". Use the php command md5('yourpassword'.date("Ymd")) for that purpose. 

<!-- Example HTML/PHP code displaying a protected swf file-->

<?php
// example: you have a file called "myfile.swf"
  $filename = 'myfile'.'.SM'.md5('yourpassword'.date("Ymd")).'.swf';
?>

<OBJECT WIDTH="550" HEIGHT="400" >
  <PARAM NAME=movie VALUE="<?php echo $filename; ?>">
  <EMBED src="<?php echo $filename; ?>" WIDTH="550" HEIGHT="400" TYPE="application/x-shockwave-flash"></EMBED>
</OBJECT>  

The script "securemedia.php" in the webserver root directory will handle the request and check if the keystring is valid and deliver the file if so, otherwise it will deliver the file "denied.swf" from the $secureDir directory to forward the user to your homepage. 

To create a "denied.swf" file that forwards to your website, create a blank Flash file and enter the following code into the first frame:

getURL('http://www.yourserver.com/','_top');  

You can also download the FLA file here: http://www.neodelight.com/personal/flo/securemedia/denied.fla

3. ToDo

The described method might also work to protect files other than swf if adapted accordingly. If you gained any experiences with that, please let me (fm@neodelight.com) know. 

The System was not tested yet with Flash applications that load other swf files at runtime 

You canīt pass parameters to the swf file at the moment. The url rewrite string would need some changes for that. 

Anybody is invited to further improve the system, so please email me (fm@neodelight.com) if you have any ideas, bug reports, suggestions or questions. 

4. Latest Version

The latest version can be found at http://www.neodelight.com/personal/flo/securemedia