Bu sayfa henüz yerel dilinizde mevcut değildir. Daha fazla dil seçeneği eklemek için yoğun bir şekilde çalışıyoruz. Desteğiniz için teşekkür ederiz.

Elastic Cloud Server
Huawei Cloud Flexus
Bare Metal Server
Auto Scaling
Image Management Service
Dedicated Host
Cloud Phone Host
Huawei Cloud EulerOS
Virtual Private Cloud
Elastic IP
Elastic Load Balance
NAT Gateway
Direct Connect
Virtual Private Network
VPC Endpoint
Cloud Connect
Enterprise Router
Enterprise Switch
Global Accelerator
Management & Governance
Cloud Eye
Identity and Access Management
Cloud Trace Service
Resource Formation Service
Tag Management Service
Log Tank Service
Resource Access Manager
Simple Message Notification
Application Performance Management
Application Operations Management
Optimization Advisor
IAM Identity Center
Cloud Operations Center
Resource Governance Center
Server Migration Service
Object Storage Migration Service
Cloud Data Migration
Migration Center
Cloud Ecosystem
Partner Center
User Support
My Account
Billing Center
Cost Center
Resource Center
Enterprise Management
Service Tickets
HUAWEI CLOUD (International) FAQs
ICP Filing
Support Plans
My Credentials
Customer Operation Capabilities
Partner Support Plans
Professional Services
MapReduce Service
Data Lake Insight
CloudTable Service
Cloud Search Service
Data Lake Visualization
Data Ingestion Service
DataArts Studio
Data Lake Factory
DataArts Lake Formation
IoT Device Access
Product Pricing Details
System Permissions
Console Quick Start
Common FAQs
Instructions for Associating with a HUAWEI CLOUD Partner
Message Center
Security & Compliance
Security Technologies and Applications
Web Application Firewall
Host Security Service
Cloud Firewall
Anti-DDoS Service
Data Encryption Workshop
Database Security Service
Cloud Bastion Host
Data Security Center
Cloud Certificate Manager
Edge Security
Blockchain Service
Web3 Node Engine Service
Media Services
Media Processing Center
Video On Demand
Object Storage Service
Elastic Volume Service
Cloud Backup and Recovery
Storage Disaster Recovery Service
Scalable File Service Turbo
Scalable File Service
Volume Backup Service
Cloud Server Backup Service
Data Express Service
Dedicated Distributed Storage Service
Cloud Container Engine
SoftWare Repository for Container
Application Service Mesh
Ubiquitous Cloud Native Service
Cloud Container Instance
Relational Database Service
Document Database Service
Data Admin Service
Data Replication Service
Distributed Database Middleware
Database and Application Migration UGO
Distributed Cache Service
API Gateway
Distributed Message Service for Kafka
Distributed Message Service for RabbitMQ
Distributed Message Service for RocketMQ
Cloud Service Engine
Multi-Site High Availability Service
Dedicated Cloud
Dedicated Computing Cluster
Business Applications
ROMA Connect
Message & SMS
Domain Name Service
Edge Data Center Management
Face Recognition Service
Graph Engine Service
Content Moderation
Image Recognition
Optical Character Recognition
Conversational Bot Service
Speech Interaction Service
Huawei HiLens
Video Intelligent Analysis Service
Developer Tools
SDK Developer Guide
API Request Signing Guide
Koo Command Line Interface
Content Delivery & Edge Computing
Content Delivery Network
Intelligent EdgeFabric
Intelligent EdgeCloud
SAP Cloud
High Performance Computing
Developer Services
CodeArts PerfTest
CodeArts Req
CodeArts Pipeline
CodeArts Build
CodeArts Deploy
CodeArts Artifact
CodeArts TestPlan
CodeArts Check
CodeArts Repo
Cloud Application Engine
MacroVerse aPaaS

URL Validation

Updated on 2024-12-27 GMT+08:00

Referer validation can filter visitors' identities. However, the referer content can be forged, which cannot completely protect your VOD resources. Therefore, VOD provides URL validation. You can configure the key and generate the corresponding playback URL. The URL has a certain validity period, which effectively prevents VOD resources from being illegally stolen.


Referer validation works in a simple way. After a blacklist or whitelist is configured on the VOD console, VOD distributes the blacklist or whitelist to CDN. When receiving a request, CDN checks whether the request is valid based on the list. If the request is valid, CDN accesses the requested resource. If the request is invalid, CDN rejects the request and returns a status code 403.

URL validation is implemented by VOD edge nodes and origin server in VOD. It is a more secure and reliable anti-piracy solution than referer validation. Figure 1 shows how URL validation works.

Figure 1 URL validation working principles

The process is as follows:

  1. You enable URL validation on the VOD console and configure the allowed time difference and algorithm.
  2. VOD delivers the configured key value to CDN nodes.
  3. You obtain the authentication URL of a VOD media file.
  4. Viewers request CDN to play a video through the authentication playback URL.
  5. CDN verifies the request based on authentication information carried in the playback URL. Only requests that pass the verification are allowed.


  • This function is optional and is disabled by default.
  • After this function is enabled, the original URLs cannot be used. New signed URLs must be generated based on rules.
  • If the signed URL expires or the signature fails to be authenticated, the video fails to be played and the message "403 Forbidden" is returned.
  • Algorithms A, B, and C do not support HLS and DASH playback scenarios.
  • To disable URL validation, submit a service ticket.
  • When URL validation is enabled, playback with multiple audio tracks and multilingual subtitles is not supported.


  1. Log in to the VOD console.
  2. In the navigation pane, choose Domain Name Management.
  3. Click Configure on the right of the domain name and choose the Hotlink Protection Settings tab.
  4. Click URL Validation. The URL Validation dialog box is displayed.
  5. Configure URL validation parameters. Table 1 describes the parameters.

    Figure 2 Configuring URL validation
    Table 1 Parameters




    Click Generate to generate a key value.

    Maximum Time Difference

    How long a signed URL remains valid. The default value is 120 minutes.

    For example, if the signed URL generation time is 1573806090 (Nov. 15, 2019 16:21:30 GMT+08:00) and the allowed time difference is 120 minutes, the signed URL expires at Nov. 15, 2019 18:21:30 GMT+08:00.

    Expiration Time of the Old Key

    By default, the old key expires 60 minutes later since the new key takes effect.

    For example, if the new key takes effect on Nov. 15, 2019 16:21:30 GMT+08:00 and Expiration Time of the Old Key is 60 minutes, the old signed URL expires at Nov. 15, 2019 17:21:30 GMT+08:00.


    Key encryption algorithm. The following algorithms are supported:

    Algorithms A, B, and C: The MD5 digest algorithm is used. For details, see Encryption Algorithm A, Encryption Algorithm B, and Encryption Algorithm C.

    Algorithm D: The symmetric encryption algorithm is used. For details, see Encryption Algorithm D.

    Algorithm E: The SHA-256 algorithm is used. For details, see Encryption Algorithm E (same as the Signing Method C2 of CDN). Algorithm E is now displayed on the GUI but not available for your use.

    • Algorithms A, B, and C do not support HLS and DASH playback. Algorithm D or E is recommended.
    • Currently, algorithm E supports preview only for HLS and MP4 files. The preview function of MP4 files takes effect only when MOOV is in front of MDAT. After the preview function is enabled, the playback URL can be obtained from the VOD console. The default preview duration is 300s.

    Authentication Scope

    Specifies the files to be authenticated. Currently, you can authenticate all files, authenticate files with a specified file name extension, or choose not to authenticate files with a specified file name extension.

    Authentication Inherit Config

    Adds the authentication parameter to TS and MP4 files under M3U8/MPD index files, so that the files can be played after authentication succeeds.

    • If there are multi-layer M3U8/MPD files, only the first-layer M3U8/MPD files are parsed, and the TS/MP4 streams of M3U8/MPD files at other layers are not expanded.
    • The standard M3U8 format is supported. M3U8 files are parsed by line. If the parsing fails, responses from the origin server are returned to users. URIs starting with the #EXT-X-MAP tag and URLs/URIs not starting with the pound key (#) are supported.
    • The standard MPD format is supported. MPD files are parsed by line. If the parsing fails, responses from the origin server are returned to users. The URI between tags <BaseURL> and </BaseURL> is identified. The SegmentTemplate tag is not supported.


    Only HLS and MP4 files can be previewed.

  6. Click OK.
  7. If you select algorithm D, you need to submit a service ticket for approval after configuring the parameters. The submitted information must contain the configured domain name and information listed in Table 1.

    URL validation settings take effect once your request is approved. If you modify the URL validation settings, you also need to submit a service ticket for approval.

  8. Verify whether the URL validation settings have taken effect.

    Obtain the signed streaming URL and play the content via the URL. If the playback is successful, the URL validation settings have taken effect.

Generating a Signed URL

From the console

  1. Log in to the VOD console.
  2. In the navigation pane, choose Management > Audio and Video Management.
  3. Click Details in the row containing your media file and then choose the Playback tab.

    URL is the original streaming URL of the media file. Click to obtain the signed URL.

    Figure 3 Streaming URL

Encryption Algorithm A

Signed URL format

Original URL?auth_key={timestamp}-{rand}-{uid}-{auth_key}
Formula for calculating auth_key
auth_key = MD5(/asset/{assetId}/{file_name}-{timestamp}-{rand}-{uid}-{private_key})
Table 2 Authentication fields




Time when a signed URL is generated. The value is a Unix timestamp, which is the number of seconds since January 1, 1970.

Example: 1564731935 (2019.08.02 15:45)


Random number. The recommended value is a UUID, which cannot contain hyphens (-).

Example: f03cbe7c4a3849bc8d8769e3110e4533


This parameter is not used now. Set it to 0.


Key value set on the console. For details, see Procedure.

Signed URL example
Original URL: http://1.cdn.myhuaweicloud.com/asset/6b2d740f10b8697d8ea6672868ecdb6f/test.mp4
private_key: myPrivateKey
timestamp: 1547123166
rand: 477b3bbc253f467b8def6711128c7bec
uid: 0
Obtain auth_key based on the calculation formula.
auth_key = md5(/asset/6b2d740f10b8697d8ea6672868ecdb6f/test.mp4-1547123166-477b3bbc253f467b8def6711128c7bec-0-myPrivateKey) = 584883719a3f722bf1a32a3b0a4d25dd

Signed URL based on algorithm A


Encryption Algorithm B

Signed URL format
Formula for calculating md5sum
md5sum = md5({private_key}{date_yyyyMMddHHmm}/asset/{asset_id}/{file_name})
Table 3 Authentication fields




Time when a signed URL is generated. The format is yyyyMMddHHmm.

Example: 201908051445


Part starting behind the media asset ID of the original streaming URL to the end of the URL.

Example: play_video/test.mp4


Key value set on the console. For details, see Procedure.

Signed URL example
Original URL: http://1.cdn.myhuaweicloud.com/asset/6b2d740f10b8697d8ea6672868ecdb6f/test.mp4
private_key: myPrivateKey
date_yyyyMMddHHmm: 201901102026
file_name: test.mp4

Obtain md5sum based on the calculation formula.

md5sum = md5(myPrivateKey201901102026/asset/6b2d740f10b8697d8ea6672868ecdb6f/test.mp4) = 713ef643de8df076da6ec3c0545968cb

Signed URL based on algorithm B


Encryption Algorithm C

Signed URL format
Formula for calculating md5hash
md5hash = md5({private_key}/asset/{asset_id}/{file_name}{time_hex})
Table 4 Authentication fields




Part starting behind the media asset ID of the original streaming URL to the end of the URL.

Example: play_video/test.mp4


Time when a signed URL is generated. The value is a hexadecimal Unix timestamp.

Example: hex(1564987530)=5D47D08A


Key value set on the console. For details, see Procedure.

Signed URL example
Original URL: http://1.cdn.myhuaweicloud.com/asset/6b2d740f10b8697d8ea6672868ecdb6f/test.mp4
private_key: myPrivateKey
time_hex: hex(timestamp) = hex(1547123166) = 5C3739DE
file_name: test.mp4
Obtain md5sum based on the calculation formula.
md5hash=md5(myPrivateKey/asset/6b2d740f10b8697d8ea6672868ecdb6f/test.mp45C3739DE) = afa20c956043fe6d130b16f2704ac870

Signed URL based on algorithm C


Encryption Algorithm D

Signed URL format

Original URL?auth_info={Encrypted string}.{EncodedIV}&plive={plive_starttime}
Formulas for calculating the encrypted string and EncodedIV:
  • Original encrypted string = url_encoding({path}+"$"+{Timestamp})+"$"+{plive_starttime}
  • Encrypted string = aes_cbc_128_pkcs5padding(Original encrypted string,key,IV)
  • EncodedIV = hex(IV)
Table 5 Authentication fields




Directory from the domain name to the last level, including the slash (/) behind the domain name and slash (/) behind the last level of directory, excluding the file name

Example: /asset/32237c8f68fcc6071a2d8e3421eee20d/play_video/


Time when a signed URL is generated. The value is UTC time in yyyyMMddHHmmss format.

Example: 20190805101025


Key value set on the console. For details, see Procedure.

(Optional) plive

Start time of pseudo-streaming, in UTC time.

Specify this parameter only for Pseudo-Streaming. In other cases, this parameter is not required for calculating the signed URL.


Randomly generated byte array. It can be up to 16 characters long.

hex(): converts the byte array into a hexadecimal string.

Sample code for generating IV is:
byte[] iv = new byte[16];
SecureRandom secureRand = new SecureRandom();
Signed URL example
Original URL: https://179.cdn-vod.huaweicloud.com/asset/32237c8f68fcc6071a2d8e3421eee20d/play_video/index.m3u8
path: /asset/32237c8f68fcc6071a2d8e3421eee20d/play_video/
key: 8Ks1qn14XRO28qOa
Timestamp: 20190805102430
plive: 1704074400
The encrypted string and EncodedIV are obtained according to the calculation formula.
Original encrypted string = url_encoding("/asset/32237c8f68fcc6071a2d8e3421eee20d/play_video/") + "$" + "20190805102430"+ "$" + "1704074400"
Encrypted string = aes_cbc_128_pkcs5padding(Original encrypted string,key,IV) = 34M%2F6KtYgxuAozdBLIVTe0dUVAZdvXsYQoYAnDmuhRHh1hshYg%2B2Tl0AmSwySDh%2BmkER44qYKpSP%2BgfsLM%2FIZe4F6K4n1Nx6ouGwyKfqdDA%3D
EncodedIV = hex(IV) = 79436d453636364e335941713330534e
Signed URL based on algorithm D

Encryption Algorithm E

  • Algorithm E is now displayed on the GUI but not available for your use.
  • The preview and pseudo-streaming functions cannot be enabled at the same time. The following URLs are for reference only. exper and plive cannot exist at the same time.

Signed URL format

Original URL?auth_key={authKey}&timestamp={timestamp}&exper={exper}&plive={plive_starttime}

Formula for calculating authKey:

  • To enable preview: auth_key = sha256({PrivateKey}{fileName}{timestamp}{exper}
  • To enable pseudo-streaming: auth_key = sha256({PrivateKey}{fileName}{timestamp}{plive_starttime})
    Table 6 Authentication fields




    Time when a signed URL is generated. The value is a Unix timestamp, which is the number of seconds since January 1, 1970. Unit: second.

    Example: 1564731935, that is, the time is 2019.08.02 15:45.


    Back-to-origin URL. During authentication, the value must start with a slash (/) and cannot include the parameters behind ? in the signed URL.

    Example: /asset/6b2d740f10b8697d8ea6672868ecdb6f/test.hls


    Signing key, which is used to generate a signed URL.

    The key can contain 16 to 32 characters in only letters and digits.

    exper (optional)

    Video preview duration, in second. Only MP4 and HLS videos can be previewed.

    Specify this parameter only for preview. In other cases, this parameter is not required for calculating the signed URL.

    (Optional) plive

    Start time of pseudo-streaming, in UTC time. This field is valid only for the HLS format.

    Specify this parameter only for pseudo-streaming. In other cases, this parameter is not required for calculating the signed URL. The preview and Pseudo-Streaming functions cannot be enabled at the same time.

Signed URL example
Original URL: http://1.cdn.myhuaweicloud.com/asset/6b2d740f10b8697d8ea6672868ecdb6f/test.hls
private_key: 32d6b2d740f10b86
timestamp: 1547123166
fileName: /asset/6b2d740f10b8697d8ea6672868ecdb6f/test.hls
exper: 300
plive: 1704074400
Obtain auth_key based on the calculation formula.
  • Enabling preview
    auth_key = sha256(32d6b2d740f10b86/asset/6b2d740f10b8697d8ea6672868ecdb6f/test.hls1547123166300) = 3a935cf1d8299fe63ec8d4e0afb5ef3304883a702a4e760f3c5ae838a4b69768
  • Enabling pseudo-streaming
    auth_key = sha256(32d6b2d740f10b86/asset/6b2d740f10b8697d8ea6672868ecdb6f/test.hls15471231661704074400) = 3a935cf1d8299fe63ec8d4e0afb5ef3304883a702a4e760f3c5ae838a4b69768
Signed URL based on algorithm E:
  • Preview enabled
  • Pseudo-streaming enabled

Sitemizi ve deneyiminizi iyileştirmek için çerezleri kullanırız. Sitemizde tarama yapmaya devam ederek çerez politikamızı kabul etmiş olursunuz. Daha fazla bilgi edinin





Selected Content

Submit selected content with the feedback