Support » Plugin: W3 Total Cache » [Plugin: W3 Total Cache] How to stop Amazon s3/cloudfront hotlinking?

Viewing 7 replies - 1 through 7 (of 7 total)
  • S3flowshield is just like S3Media stream a video/audio plugin. It does not display images except poster images for the videos and as such they are not protected against hotlinking because they are not produced via expiring URLs. You may learn more on this subject via

    I hope this is useful?

    “If not what solution is there to prevent hotlinking of images?”

    I emailed S3FlowShield a link to this thread. Here’s their response:

    “That post is incorrect. S3FlowShield can generate authenticated/expiring URLs for any file stored on S3, so you can indeed protect your images.”

    Unfortunately I don’t want additional URLs. lol

    If you are just using S3 you can use bucket policy to prevent hotlinking by referrer, however this won’t work when using cloudfront. I also suspect any expiring url is an S3 only feature too.

    Plugin Author Frederick Townes


    I think @backie‘s advice is accurate.

    There are two issues here, one is hotlinking of images or other protected content (ie course pdf’s) and the other is video protection.

    s3flowshield is designed for video protection, not really for images. I don’t know if it will work for that purpose. It works by generating long url’s that are too complicated to share. I don’t know about “expiring urls” except that it does NOT support the type of expiring url’s that Cloudfront private distributions use (more on this below). It works fine for generating expiring url’s to videos stored on S3, via it’s own internal mechanism, but it won’t work with RTMP or private distribution .

    Backie and Frederick are correct you can use S3 bucket policy to prevent hotlinking by only allowing certain referrers:
    but I don’t think this will work on Cloudfront (Cloudfront files are sourced by S3, but it’s a different security mechanism)

    Now about video protection

    Neither S3Flowshield nor Easy Video Player (as of today) implement Cloudfront private distributions for RTMP streaming. This is a mechanism whereby the request to Cloudfront is digitally signed (with a key pair). These signed requests can carry an expiry date, can limit to only one IP address, etc. These (signed) url’s must be dynamically generated for each user request or page load (and made to expire in, say 15 minutes — if user doesn’t start the video or refresh the page in 15 minutes, the video won’t play).

    I am writing a plugin called “Cloudfront private distribution extension for JWPlayer” that will generate these expiring urls. It’s not that complicated, and there is complete sample code here

    I have a video that teaches how to setup a Cloudfront streaming distribution with JWPlayer here, if interested (not private distribution):

    If you have any question please post them there


    Hydn@: Matt from S3Flowshield refers to the expiring link feature, but that has nothing to do with displaying images on a site while being protected against hotlinking.

    mbeneteau@: S3Media Stream already features private RTMP streaming video and audio via CloudFront and it offers a whole host of other options to play video and audio. It fully supports HTML5 fallback to video and audio as well so that iPhone, iPad and other rich media capable mobiles are covered.

Viewing 7 replies - 1 through 7 (of 7 total)
  • The topic ‘[Plugin: W3 Total Cache] How to stop Amazon s3/cloudfront hotlinking?’ is closed to new replies.