Security isn't an afterthought.
It's the product.

Every layer of VidEncrypt is designed to keep your content safe.

How signed URLs work

1

Browser requests a play token from your server

2

Your server calls VidEncrypt API with API key

3

VidEncrypt returns signed HLS URL (60s TTL)

4

Browser loads HLS player with signed URL

5

After 60s, URL is invalid — token refreshed automatically

What we protect against

Hotlinking

Signed URLs with 60s TTL prevent URL sharing. Expired links return 403.

Token Replay

One-time token validation with nonce tracking prevents replay attacks.

Direct R2 Access

R2 buckets are private. All access goes through our authenticated CDN layer.

Bot Scraping

Rate limiting + device fingerprinting detect and block automated download attempts.

Unauthorized Embeds

Referrer validation ensures videos only load on whitelisted domains.

What we don't do (yet)

Transparency builds trust. Here's what's coming.

DRM (Widevine/FairPlay) — Coming Q2 2025
Dynamic video watermarking — On roadmap
Screen recording prevention — JS-level, limited by browsers

Infrastructure security

Data at rest

Encrypted at Cloudflare R2 (AES-256)

Data in transit

TLS 1.3 enforced on all connections

API keys

SHA-256 hashed, never stored in plain text

Sessions

Redis-backed with TTL, httpOnly cookies

CSRF protection

On all state-changing endpoints

Responsible Disclosure

Found a vulnerability? We take security reports seriously. Please reach out to us with details and we'll respond within 24 hours.

security@videncrypt.io