Prerequisites · 12 min read

Networking, CDNs & Firewalls

How DRM traffic flows through CDNs, firewalls, routers.

How DRM traffic flows

Three networks meet during a DRM session:

CDN

The CDN serves manifests and segments. It must:

  • Honour HTTPS for everything in production.
  • Send the right MIME types (application/dash+xml, application/vnd.apple.mpegurl, video/mp4).
  • Allow the Range header (segments are often byte-range-fetched).
  • Set Access-Control-Allow-Origin to whatever your player needs.

The CDN must not see licence traffic. License URLs go through your application origin or a dedicated DRM endpoint.

License endpoint

Behind your app server. Typical shape:

POST /drm/widevine HTTP/1.1
Host: license.example.com
Authorization: Bearer <signed app token>
Content-Type: application/octet-stream
Content-Length: 1234

<binary licence request from CDM>

Response is opaque bytes the player feeds to session.update() / provideKeyResponse().

What the licence service must do:

  • Authenticate the caller (token).
  • Authorise (entitlement check).
  • Choose policy.
  • Call the SDK.
  • Return the SDK response.

Firewalls

Egress firewalls in corporate / enterprise networks routinely break DRM by:

  • Blocking the provisioning service URLs.
  • MITM-ing TLS so signature checks fail.
  • Stripping headers the licence service expects.

Have a "what to whitelist" page ready for IT teams that ask. The list is short:

  • Your licence URLs.
  • Google's provisioning service for the relevant Widevine version.
  • Standard CDN hostnames.

TCP vs UDP

DRM licence traffic is HTTPS = TCP. There's no UDP path. QUIC would be HTTPS over UDP but most licence services still serve over plain HTTPS / HTTP/2.

Media segments may be served via HTTP/3 (QUIC) on advanced CDNs, but that's a CDN optimisation, not a DRM concern.

Concurrency and rate limits

Watch out for:

  • License-request bursts at scheduled live event start.
  • Provisioning bursts when a new app version rolls out (devices that already provisioned still re-provision per origin under Provisioning 3.0).
  • Renewal storms when many sessions hit licence expiry simultaneously.

Plan capacity accordingly. Cache static config; do not cache licence responses.

No questions yet for networking. Add some in content/questions/networking.json.