Security isn't an afterthought.
It's the product.

Every layer of VidEncrypt is designed to keep your content safe.

How signed URLs work

Browser requests a play token from your server

Your server calls VidEncrypt API with API key

VidEncrypt returns signed HLS URL (60s TTL)

Browser loads HLS player with signed URL

After 60s, URL is invalid — token refreshed automatically

How Max Security works

Viewer opens a page with an embedded video

Embed displays the Watch in Secure Player action

Click triggers a videncrypt:// deep link

VidEncrypt Desktop App opens with one-time install footprint

App validates a single-use playback token with VidEncrypt API

Content-protected window mode is applied before playback starts

Video plays in secure player while capture attempts are blocked or constrained

What we protect against

Hotlinking

Signed URLs with 60s TTL prevent URL sharing. Expired links return 403.

Token Replay

One-time token validation with nonce tracking prevents replay attacks.

Direct R2 Access

R2 buckets are private. All access goes through our authenticated CDN layer.

Bot Scraping

Rate limiting + device fingerprinting detect and block automated download attempts.

Unauthorized Embeds

Referrer validation ensures videos only load on whitelisted domains.

Screen Recording

Max Security mode moves playback into a desktop app window with OS-level capture protection.

Leak Attribution

Watermark context can include user/session/IP/timestamp so leaked recordings remain traceable.

How watermarking protects you

Two independent layers work together: secure playback for prevention and watermarking for attribution.

•Layer 1: session-aware watermark values can be injected from your backend context

•Layer 2: generic project watermark fallback still applies in iframe playback

•If content is re-recorded externally, watermark context supports forensic traceability

•Works in both standard browser embeds and secure desktop-player sessions

Platform coverage

Platform	Recording blocked	Watermarked
Windows (desktop app)	OS-level protection	Yes
macOS (desktop app)	OS-level protection	Yes
Android app target	FLAG_SECURE path	Yes
iOS Safari	No guaranteed OS-level block	Yes
Chrome desktop	Use Secure Player for stronger protection	Yes
Firefox desktop	Use Secure Player for stronger protection	Yes
Android browser	No guaranteed OS-level block	Yes

What's coming next

→Public browser allowlist controls from project settings

→Native iOS secure-player path with stronger capture constraints

→Plan-level security entitlement controls

Infrastructure security

Data at rest

Encrypted at Cloudflare R2 (AES-256)

Data in transit

TLS 1.3 enforced on all connections

API keys

SHA-256 hashed, never stored in plain text

Sessions

Redis-backed with TTL, httpOnly cookies

CSRF protection

On all state-changing endpoints

Responsible Disclosure

Found a vulnerability? We take security reports seriously. Please reach out to us with details and we'll respond within 24 hours.

security@videncrypt.io

Security isn't an afterthought.It's the product.