How to secure music when streaming through HTML5 audio tag

11
votes

Here is my scenario: I am building a web page for a friend's band. They want to stream full versions of their songs on the site, but not allow users to download the files. There are links to purchase the music on iTunes and Amazon. My ideal solution is to use the html5 audio tag.

My problem: Streaming music through the audio tag is not secure, and very easy to catch the URL in the page's source and then just downloading from their web browser.

I've done some research online and read some discussions. Yes, I know that there is no way to make it 100% secure. But, I would like to try to implement some security measures to deter most people from stealing the music.

So my question is, what measures can I take here to try and secure the audio? Is there a way to only allow the page that streams the music access to it? So this way users can't just navigate to the music file's URL and download? Or is there a way to get it from a webservice?

Any help is much appreciated. Thanks!

2
securityhtmlaudio

2 Answers

8
votes

There is a little trick I think about: allow access to the music through a one-time unique url:

// Page generation
// Generate unique token and put it into database
<audio controls="controls">
  <source src="song.ogg?token=UNIQUETOKEN" type="audio/ogg" />
</audio>

// On access
- Check for corresponding UNIQUETOKEN in database
- Remove token from database
- Send audio data

It won't prevent users from downloading your song through CURL (for instance), but they won't be able to view the page AND navigate the source to download the song again.

Also, it should be possible to download separate samples of your track and play them continuously with a custom player. These are just ideas, I'm not sure they would be efficient enough for what you request.

0
votes

I did this with two .php files:

The first is the 'player'. When it loads it creates a session var that the second picks up - or doesn't.

The second is the 'streamer'. If it finds the session var it uses 'partial content' messages to stream the song to the player. If the session var is missing it does nothing.

Shouldn't be any way to link directly to it without access to the file system.