Hotlink protection is achieved using the txSecret field in a push or playback URL. It can prevent attackers from forging your push URLs or using your playback URLs for profit without authorization.
How It Works
You can configure an encryption key in the CSS console (do not disclose this key) to prevent attackers from forging your push and playback URLs:
Directions
Step 1. Configure the key
First, you need to configure an encryption key in the CSS console. This is the key used to generate hotlink protection signatures on your server. Because Tencent Cloud has this key, it will be able to decrypt the signatures generated.
A push hotlink protection key is used for push URLs, and a playback hotlink protection key is used for playback URLs. To configure a key for push URLs, go to the CSS console, click Domain Management on the left sidebar, and select Push Configuration.
The plaintext in the signature is txTime, which is the validity period of the URL. For example, if the current time is 2025-11-28 20:19:50, and you want your push URL to expire in three hours, txTime should be 2025-11-28 23:19:50.
To simplify the URL generated, the time string is converted to a Unix timestamp (you can perform this by calling the time API), and to further shorten the string, the timestamp is converted to a hexadecimal or decimal string. Therefore, in the example above, txTime should be 1694669601 (decimal) or 65029b21 (hexadecimal).
Note:
The actual final end time of the playback address is txTime + plus the validity period of the authentication key. Changing the authentication validity period does not affect the URL generation, but it can extend the authentication validity time of the address.
Make sure you specify an appropriate validity period (not too long or too short) for the URL:
If the validity period is too short, when a host is disconnected during a live stream, they may be unable to resume publishing due to expiration of the push URL.
If the validity period is too long, your URL may be hotlinked.
Step 3. Generate txSecret
txSecret is generated using MD5(KEY + StreamName + txTime). MD5 is a one-way hashing algorithm(Currently, the SHA256 encryption algorithm has also been added.). KEY is the encryption key configured in step 1. StreamName is the stream ID. We recommend you set it to a random number or the user ID. In the example below, StreamName is set to test, and txTime is the hexadecimal string calculated in step 2.
Example:
Suppose `KEY` is `e12c46f2612d5106e2034781ab261ca3`.
A push URL that conforms to the Tencent Cloud standard consists of the following four parts:
Now that we have the URL expiration time txTime, the signature txSecret (which only Tencent Cloud can decrypt), the stream ID StreamName, and the push domain (suppose it’s livepush.tcloud.com), we can generate a hotlink protection push URL:
We offer sample code for the generation of hotlink protection URLs. In the CSS console, click Domain Management on the left sidebar, select a push domain, and click Push Configuration. Scroll down, and you will find sample code for PHP, Java, and Go. For details, see Push Configuration.
