Overview: Content Protection

DRM

DRM (Digital Rights Management) protects your video content by encrypting the video data and unlocking it based on license policies. When the video content is loaded into a Brightcove Player, the player calls back to a licensing server and obtains permission to play the video. This transaction is transparent to viewers. See the Overview: Digital Rights Management (DRM) in Video Cloud document for more information.

HLS encryption (HLSe)

While not as secure as DRM, HLS encryption makes unauthorized viewing of your videos more difficult. See Protecting Videos with HLS Encryption for details on how HLSe works and how to get your account enabled.

TTL (token authentication)

If you are delivering premium or confidential content, you will be looking for all ways to ensure it remains secure. You do not want end users to be able to copy URLs or continue to play back content without the proper authorization. Brightcove supports TTL signing for HLS, Dash, Smooth, and MP4 URLs, which ensures that if manifest or segment URLs are copied outside of the intended playback environment (for example, shared via messaging apps or social media, or sideloaded into other players) that they stop working once the configured TTL expires on those URLs.

For HLS and Dash, the manifest URLs are served from a Brightcove-managed CDN and are signed with a TTL. For Smooth, MP4, and individual segment URLs within manifests, URL TTL signing is managed by the CDN configuration being used. Signing is supported for both Brightcove House and BYO CDN configurations with Akamai, Fastly, CloudFront, Edgio (formerly Limelight), and JOCDN signing methods available.

By default, TTL tokens have a very short life. You can increase the life if needed (for MRSS feeds and other use cases) by contacting Brightcove Support to have them set the token time-to-live value higher. The allowable range is one hour to one year. Remember that this is an account setting, however. Don't set the value so high that it might jeopardize the security of your other videos. Once a signed URL has expired, new URLs can only be obtained from the Playback or CMS APIs requiring either a valid Policy Key or OAuth authentication.

Short manifest TTL

In the playback workflow, the Brightcove Player calls the Playback API (or Edge Auth API) to retrieve the available manifests to start playback by providing a policy key (or JWT) for authentication.

A caching layer has been introduced to allow these APIs to scale and be highly available. That layer stores the responses from the Signed Manifest URL API and the Playback API. Since the signed manifests will be cached, the TTL must be long enough to be valid for the time in the cache, plus a buffer for the player to use.

Short manifest TTLs allow viewers to continue playback without hindrance. Also, all the Dynamic Delivery features work with Short manifest TTL.

Domain restrictions

Domain restrictions can be set on players to limit the domains where players can be used. If the player publishing code is copied and used on another site, domain restrictions would prevent the player from loading any videos. Publishers must use the in-page embed code to actually get playback working on those domains that have been whitelisted. Publishers cannot use the iframe embed code on a whitelisted domain (or any other domain) and expect playback to function properly.

See the Configuring Player Content Restrictions document for instructions on how to domain restrict your player and the Domain Restrictions Messaging document on how to deal with domain restriction errors in Brightcove Player.