Cloudflare Stream and video protection in Wordpress

Hello everyone!

Cloudflare Stream offers its own free plugin which, actually, has limited functionalities.

I tested it but in my case, that was not enough. I needed to integrate the functionality of signed URL into my WP to protect my videos because, in the end, I wanted to prevent my videos to be downloadable by anyone.

I, therefore, created a plugin, called “Cloudflare Stream WordPress plugin” which offers a tokenization technology (one shortcode for each video). If you want to know more, you can read my detailed blog post.

It easily integrates signed URL capabilities (video protection) in your WordPress installation (classic, Gutenberg, and WPBackery), and allows stream only from certain domains.

The core functionalities we needed (and the problems we solved) were:

a) protect our videos by allowing only some domain origins directly from Wordpress, pretty much as you do manually in CF:


So that the video streaming would have only be possible from our domain gorillacommunication.

b) make the video ID hidden from public as normally it isn’t:


Ie. if you take your video ID and paste it after this URL you will see that the video streams perfectly publicly:
https://watch.cloudflarestream.com/yourNumericIDgoesHere

c) to have a “panic button” that would unsign all the videos URLs in bulk. So, in case anything would happen with the tokenisation (e.g. wordpress updates, sudden plugin incompatibilities or malfunctions, etc) we would have insured our users the streaming, even if unprotected.

d) A shortcode so to embed the videos wherever in our wordpress (pretty much as the official CF plugin is doing)

e) managing all the streaming parameters (autoplay, poster, loop, etc)

So we made this plugin that is working in 4 simple steps:

  1. A setting page get all the CF basic parameters (ID, email, API key, etc):


    There you can also set a Buffer time. Which will be added to the video lenght.
    E.g. if your video last 5 min and your buffer time is 5 min, the generated token for the streaming session will be invalidated after 10 minutes.

  2. You can add your video as you would do with a normal Wp page, giving it a title and inserting your video ID taken directly from CF stream interface:


    Once you hit “publish” it will automatically whitelist the current domain only on CF, so that you don’t have to insert the domain origins via CF interface and sign the URL, de facto, protecting the video. E.g. if someone would want to grab your URL and copy it in a forum or download it.

  3. You get all your videos and their shortcodes:

  4. you simply paste the shortcode wherever you want in your wordpress + add any parameter you want after the shortcode :wink:

The result of that is that now our videos are streaming from CF in a “protected way”, eg. instead of the ID, a time-bound token is shown on the DOM and the video ID remains hidden:

I thought it might be of interest to anyone facing our same need vs video protection, signed URL, tokenization, etc.
I am pretty sure there are better, faster and more efficient ways to do this, so I am very open to read your thoughts, comments and expertise and to learn from it :wink:

Thanks for the reading and subscribe to stream, it really worth!!!
Stay safe
Kind regards

2 Likes

You’re a lifesaver! I was about to start this project myself.

I’ve forked the official WordPress plugin and added support for signed URL’s / tokens, making use of the new’ish /token API endpoint. I don’t consider this a long term project, rather a stop-gap until the official plugin catches up.

https://github.com/Binklebonk/cloudflare-stream-wordpress

Note that only the shortcode method of adding videos is employing signed URL’s at the moment. The Gutenberg block method was having greater issues (not listing videos), even in the original plugin.

If you were using the original plugin with the shortcodes, I expect they’ll continue to work with this one, only now video ID’s will be converted to signed URL’s behind the scenes.

It’s using the standard Cloudflare Stream player which does allow users to view the video ID. Keep in mind however, that if your videos are set to require signed URL’s, a viewer having the video ID is no risk to security, because they’d still need to possess your closely guarded API key/token to convert it to a signed URL, in which case you’d have far bigger issues.

I’ve produced this fork for my own purposes, so I offer no guarantees. As per GPL requirements, and in the interest of seeing this sort of support come to the official plugin, I’ve made my modifications public and I’ve put it up on GitHub.