Skip to main content
HashnodeTiger's PlaceTiger's Place

Command Palette

Search for a command to run...

How Platforms Like Instagram Protect Their Videos

Published
4 min read
How Platforms Like Instagram Protect Their Videos
T
Tiger Abrodi

The Problem

You have a video on a server. You want users to watch it. But you do not want them to download it. Or share direct links. Or scrape it with bots.

If you just put the file at cdn.example.com/video.mp4 anyone can copy that link. Share it anywhere. Download it forever. You have zero control once the link is out.

You need a way to say: "This person can watch this video. Right now. But not later. And nobody else can use their link."

Step 1: Signed URLs

A signed URL is a normal link with a temporary password baked into it.

The server has a private key. A secret file only the server knows. When a user requests a video the server does this:

  1. Takes the video file path.

  2. Picks an expiry time. Maybe 5 minutes from now.

  3. Feeds the path and the expiry time and the private key into a signing algorithm. This produces a unique string called a signature.

  4. Attaches all three to the URL.

The result looks like this:

cdn.example.com/video.mp4?Expires=1775506672&Key-Pair-Id=APKAI...&Signature=B029ItfCy...

  • Expires is a Unix timestamp. A number that represents a specific second in time.

  • Key-Pair-Id tells the server which key was used.

  • Signature is the proof that this URL is real and untouched.

When someone requests this URL the CDN checks: is the expiry time still in the future? Does the signature match? If anything is wrong or expired it rejects the request. Done.

If you change even one character in the URL the signature breaks. You cannot extend the expiry. You cannot swap the file path. The math will not match.

Step 2: Chunked Streaming (HLS)

Platforms do not serve one big video file. They use a protocol called HLS (HTTP Live Streaming).

HLS works like this:

  1. The platform chops the video into small pieces called chunks. Each chunk is 2 to 10 seconds long. These are .ts files (Transport Stream).

  2. The platform creates a playlist file (.m3u8). This is a text file that lists every chunk in order. Like a table of contents.

  3. The video player fetches the playlist first. Then fetches chunks one by one. Plays chunk 1. Fetches chunk 2. Plays it. And so on.

The user never holds the full video at any point. Just tiny pieces arriving in real time.

Step 3: Combine Both

This is where it gets powerful. Every chunk gets its own signed URL with its own expiry.

The playlist itself is also a signed URL. So the full picture:

  • Playlist URL is signed. Expires in minutes.

  • Each chunk URL inside the playlist is signed. Expires in seconds.

  • Each user gets a different set of URLs. Generated fresh for their session.

Even if you open DevTools and grab a chunk URL you get one 5-second piece of the video. And the URLs for the other chunks are probably already dead.

The Full Flow in Order

  1. You open Instagram and scroll to a video.

  2. The app sends a request: "I want video 12345."

  3. Instagram checks your login session. Confirms you are a real user.

  4. The server generates a signed playlist URL. Just for you. Expires soon.

  5. The app fetches the playlist.

  6. The playlist contains signed URLs for each chunk.

  7. The app fetches chunk 1. Plays it.

  8. The app fetches chunk 2. Plays it.

  9. This continues until the video ends.

  10. If you try to reuse any of these URLs later they are expired. Dead.

What Sits Behind All of This: CDNs

The video files do not sit on one server. They sit on a CDN (Content Delivery Network). A CDN is a network of servers spread around the world. When you watch a video you are fetching chunks from the server closest to you.

The CDN is the gatekeeper. It checks every signed URL before serving the file. You never talk directly to the real storage. The CDN is the bouncer at the door.

Amazon CloudFront is one popular CDN that supports signed URLs out of the box. Many platforms use it. Instagram runs their own custom CDN but the concept is identical.

Can Someone Still Download the Video?

Yes. Tools like yt-dlp can automate the process. They fetch the playlist and all chunks fast enough before they expire. Then stitch the chunks back together.

The goal was never perfect security. The goal is practical obscurity. Make it annoying enough that 99% of people will not bother. The casual user cannot right-click and save. The DevTools link dies in minutes. Only someone with technical knowledge and dedicated tools can get through.

That is the tradeoff every platform accepts.

More from this blog

T

Tiger's Place

447 posts