Protect Flash Files from Download, Protect Flash Files from Import.

Protect Flash files from being downloaded with this technique. It is not fool-proof, but this takes a completely different approach to stopping the average user trying to get at your SWF files than other tactics.

Protect Flash Files from Being Downloaded

Protecting Flash files: the example

Try your hand at downloading the Flash movie in this example.

PLEASE READ: While many have found this method to be successful for them, there are so many ways to get around all measures of Flash file protection. I DO NOT provide technical support for this article.


You need to add two things to the page that the Flash movie will play on; first, add lines 1-3 to the very top of your page. And second, add lines 9-11 to your page directly above the object tag. Lastly, change the extension of the page to .php so your server will know to parse the language instead of writing it to the page.

  1. <?php
  2. session_start();
  3. ?>
  4. <html>
  5.   <head>
  6.     <title>Flash</title>
  7.   </head>
  8.   <body>
  9. <?php
  10. $_SESSION["flash"] = $_SERVER["HTTP_HOST"];
  11. ?>
  12.     <object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" width="550" height="400" id="movie_name">
  13.       <param name="movie" value="flash.php" />
  14.       <!--[if !IE]>-->
  15.       <object type="application/x-shockwave-flash" data="flash.php" width="550" height="400">
  16.         <param name="movie" value="flash.php"/>
  17.       </object>
  18.       <!--<![endif]-->
  19.     </object>
  20.   </body>
  21. </html>


Here's where the real muscle comes in. You'll notice above that the source of the movie file is a PHP file, rather than the SWF file. it won't technically be a Flash file; it'll be a PHP file. Create a new file on your server called flash.php. This is the file that your HTML will link to instead of the real Flash movie.

  1. <?php
  2. session_start();
  4. if(isset($_SESSION["flash"])) {
  5.   $referrer = $_SERVER["HTTP_REFERER"];
  6.   $referrer = parse_url($referrer);
  7.   if($referrer["host"] != $_SESSION["flash"]) {
  8.     echo "Permission denied.";
  9.     die();
  10.   }
  11. } else {
  12.   echo "Permission denied.";
  13.   die();
  14. }
  16. unset($_SESSION["flash"]);
  18. header("Cache-Control: no-cache, must-revalidate");
  19. header("Expires: Mon, 18 Jan 2010 00:00:00 GMT"); // Don't change.
  20. header("Content-type: application/x-shockwave-flash");
  21. readfile("/home/www/private/real_movie.swf");
  23. ?>

The only change you need to make to this file is on line 21. Replace /home/www/private/flash.swf with the full server path to the Flash movie you want to play. If you don't know your full server path, you can find it by creating this PHP file and viewing it in your browser:

  1. <?php
  2. echo $_SERVER["DOCUMENT_ROOT"];
  3. ?>

The ideal spot to put the real .swf file would be a place on your server where browsers can't go such as a password protected directory or in a private folder outside of the document root.

How does this protect my Flash files from being downloaded?

The first thing that happens is the HTML page creates a session (sessions are kind of like cookies) and then it opens the PHP script as if it were a genuine Flash file. The session contains the domain of the site, and a quick check is performed to see if the domain requesting the flash file is the same as the domain where the flash file is located. If it doesn't match or the session was never created, the page simply reads, Permission Denied.

Update: 8 August, 2007

A couple of ways to get around this preventative measure have been brought to my attention, so consider this method a way to slow down experienced hackers. Personally, if I ran into this being used on a Flash file that I wanted to download, I would shrug my shoulders and give up.

Update 2: 18 January, 2010

I've been looking into making use of HTTP headers to improve the performance of my site, and I realised a couple of them might be useful for this example. I added a no-cache header and an expire header that's in the past. This might prevent people from being able to download a Flash file from their cache, but I haven't done any testing.

Contact me if you have any ideas or info about this.

Update 3: 8 January, 2012

This script has been updated, and is now much much easier to implement!

Terms and Conditions

By using this information, you consent to the following:

In no event shall I be held liable for any damages whatsoever (including, without limitation, incidental and consequential damages, lost profits, or damages resulting from lost business) resulting from the use or inability to use the material on this website.

Web Design Resources and Articles