Contents

Reference

Security Considerations

Contents

Security actions

The following actions are required in order to keep Pixel Streaming applications and REST API secure:

  • If you are using a reverse proxy to expose the REST API or the signalling server via a custom domain name for cloud platforms that don’t support custom domain names natively, ensure that TLS is enabled. See the Using a Custom Domain page for more information about when this is necessary.

  • Ensure the access key remains safe. If it is compromised, you will need to reset the access key as soon as possible.

  • If you are hosting the frontend files yourself, ensure that TLS is enabled for your web server or CDN.

  • If you are accessing multiple signalling servers through a load balancer, ensure that TLS is enabled for the balancer.

Read the following sections on securing the REST API and Pixel Streaming applications to understand these requirements in-depth.

Securing the REST API

Note: REST API access on AWS is not encrypted in the current version of Scalable Pixel Streaming.

TLS support on some cloud platforms is currently under development.

The REST API server provides full access to create, modify and delete Pixel Streaming applications and versions within a given installation of Scalable Pixel Streaming, thus it is important to secure the REST API and prevent access by untrusted parties. Scalable Pixel Streaming makes use of two security measures:

  • Encryption: When Scalable Pixel Streaming is deployed on CoreWeave, connections to the REST API are encrypted using Transport Layer Security (TLS). This is signified by the use of a secure https:// URL rather than an unencrypted http:// URL. In future versions of Scalable Pixel Streaming, TLS will be enabled for all cloud platforms.

  • Authentication: Each REST API server has an associated access key that is required in order to submit API requests. The access key can be customised when Scalable Pixel Streaming is installed, or a random value will be automatically generated. Client software connecting to the REST API must authenticate all requests using HTTP basic authentication, using admin as the username and the access key as the password.

Securing Pixel Streaming applications

Note: WebSocket access is not encrypted in the current version of Scalable Pixel Streaming.

TLS support on some cloud platforms is currently under development.

There are three distinct network connections involved when a web browser loads the frontend and communicates with a Pixel Streaming application running on Scalable Pixel Streaming, each of which has its own security considerations:

  • HTTP connection to the web server: The web browser will establish an HTTP connection to the web server that hosts the frontend files in order to load the player page. If you are hosting the frontend files on your own server or CDN, then you will need to ensure that Transport Layer Security (TLS) is enabled. This is signified by the use of a secure https:// URL rather than an unencrypted http:// URL.

  • WebSocket connection to the signalling server: The web browser connects to the Scalable Pixel Streaming signalling server using the WebSocket protocol. The encrypted connection will be signified by the use of a secure wss:// URL rather than an unencrypted ws:// URL. If you are deploying on a cloud platform that doesn’t support custom domain names and using a reverse proxy to provide this functionality instead, then you will need to ensure that TLS is enabled for the proxy. If you are deploying Pixel Streaming applications across multiple geographic regions or cloud platforms and using a load balancer to access the signalling servers, then you will need to ensure that TLS is enabled for the load balancer.

  • WebRTC connection to the Pixel Streaming application: The web browser connects to the Pixel Streaming application using the WebRTC protocol stack in order to receive audio and video output and send back data input. WebRTC connections are always encrypted, since Datagram Transport Layer Security (DTLS) is a mandatory feature of the protocol stack.

Configuring authentication for your Pixel Streaming applications

Your SPS application HTTP endpoint URL by default is public, so anyone with the link will be able to access your application. To restrict the link, you need to configure OAuth or a custom athentication mechanism. If you wish to keep your link public, take care of how you distribute it, and configure the cloud resources available to your deployment accordingly, to avoid incurring unexpected or undesired cloud costs.