0

I have stored a video file in BLOB storage. I need to stream this video but, I do not want users to go into developer mode and copy/paste URL on a browser so they can download it.

I have tried many ways to control this but I have failed. I used SAS token with an expiry, but, users are still able to download the content within that expiry period.

My latest approach is to hide the SAS Token enabled video URL behind Azure API Management Service. This will give me a different URL (which is not the BLOB storage URL) which I will expose on the HTML page. Will this approach work ?

Sharon Watinsan
  • 9,620
  • 31
  • 96
  • 140

1 Answers1

0

NO, we cannot hide the backend information in a Web. You can’t hide anything that your app running on a clients Browser. Instead of that you can secure your backend service.

There are some alternate ways to do that, but we don’t hide anything on a web.

1. Mask URLs in content

The redirect-content-urls policy re-writes (masks) links in the response body so that they point to the equivalent link via the gateway. Use in the outbound section to re-write response body links to make them point to the gateway. Use in the inbound section for an opposite effect.

<redirect-content-urls />

Refer for Mask URLs in content

2. Set backend service

Use the set-backend-service policy to redirect an incoming request to a different backend than the one specified in the API settings for that operation. This policy changes the backend service base URL of the incoming request to the one specified in the policy.

<set-backend-service base-url="base URL of the backend service" />

Or

<set-backend-service backend-id="identifier of the backend entity specifying base URL of the backend service" />

Refer Set backend service

Other wise you can encrypt your video data to secure a backend

To know the possible ways see here

If a client has a valid SAS can access your storage account that was permitted by the SAS. It’s important to protect a SAS from malicious or unintended use. For that use discretion in distributing a SAS, and have a plan in place for revoking a compromised SAS.

Refer: SAS for blob

Delliganesh Sevanesan
  • 4,146
  • 1
  • 5
  • 15
  • Thank you. According to you there's no way to hide a URL (to prevent illegal download of video). However, If there's an attribute to add the allowed Client/Host while generating the SAS token I don't think there'll even be a requirement to hide the URL. If the SAS Token can look if the request is generated from a permitted client/host then it can grant access to the resource. Is there a feature like this ? I went through the documentation, it allows to add permitted IP addresses but never the permitted clients/host who can access. – Sharon Watinsan Aug 19 '21 at 15:34