restreamer
restreamer copied to clipboard
datarhei
keeping urls safe with token
I was reading your nice documentation, but didn't find information on how to secure the stream *. Anyone that checks the URL of the iframe player, can use the iframe externally in other website. And maybe even the RTSP URL directly if it's in iframe source code. Right?
There is some way to secure the stream, with session token for example? Which is the best approach to do this? Maybe we can add a cross site header that limits the use of the iframe in other website, and also add a logo in the restreamer admin web console.
Thanks for your great project and support.
Securing the stream is not yet covered out-of-the-box by Restreamer. There are different scenarios that need to be covered.
The original RTSP URL of the camera is never exposed.
To block the player from being iframed into another page, you could modify the Restreamer nginx configuration to add a "X-Frame-Options" header (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options). It can be configured for only the player.html file or the whole Restreamer UI. This may require that you proxy the requests to the player and the stream through the domain you're using for embedding the player.
However, this will not prevent others to directly accessing the HLS stream (i.e. m3u8 file) if they know the URL. Currently the URL is well known if you know the base address of the Restreamer. There it might be an option to randomize/change the name of the m3u8 file.
Adding a logo is already available in Restreamer, but this will only add the logo to the player, i.e. it is not encoded into the stream. This may follow in a later version.
Hello
We have converted the request into a feature request. Follow the discussion https://github.com/datarhei/restreamer/discussions/345#discussion-4108562 to stay current, and see when your feature becomes active.
Please appreciate it if we only implement some features, which may take some time.
We are closing this issue.
Cheerio Sven
