Which headers matter for M3U8 hotlink protection?
| Header | What it should be | When to use it |
|---|---|---|
| Referer | The page URL where the stream normally plays. | Use when the origin rejects direct .m3u8 requests or returns 403. |
| User-Agent | The client identity sent to the origin. | Use when the origin allows browsers but rejects bots or unknown clients. |
| Origin | The requesting web app origin. | Usually leave this to the browser or proxy; do not fake it unless you control the endpoint. |
| Cookie | Session state from the original site. | Avoid unless you own the stream workflow. This player does not ask for cookies. |
How to play M3U8 with a custom Referer
- 1
Find the original playback page
Use the page where the stream normally works as the Referer. Do not use the .m3u8 URL itself as the Referer.
- 2
Paste the M3U8 URL
Paste the manifest into the player and try playback once without custom headers to establish a baseline.
- 3
Enable the CORS proxy
Custom Referer and User-Agent forwarding requires the proxy because browsers do not let page scripts set those headers on direct media requests.
- 4
Set Referer and User-Agent
Open the advanced header controls, paste the original page URL as Referer, and add a normal desktop browser User-Agent only if the origin filters clients.
- 5
Run the health report
Validate the stream through the same proxy/header path so you can see whether the manifest, keys, or segments are still blocked.
Why browser players cannot set Referer directly
Browsers protect headers such as Referer and User-Agent. A web page cannot freely rewrite them for direct HLS segment requests. That is why this tool forwards custom headers through an optional proxy: the browser talks to the proxy, and the proxy talks to the HLS origin with the headers you selected.
What Referer value usually works
Use the canonical page URL where the video is embedded, such as https://example.com/watch/123. Do not use the CDN domain or the .m3u8 URL unless that is the actual page that the origin expects. If the source page redirects, use the final URL shown in the browser address bar.
How to tell hotlink protection from CORS
CORS blocks the browser from reading a response. Hotlink protection makes the origin refuse the request unless headers match its policy. If the proxy fixes CORS but the origin still returns 403, add Referer. If playback starts after Referer is set, the stream was hotlink-protected.
Related HLS debugging pages
- HLS CORS error explains when blocked browser requests need CORS headers or a proxy.
- M3U8 link troubleshooting covers the broader failure checklist for dead and protected links.
Frequently asked questions
Can I set a custom Referer for an M3U8 stream?
Yes. Enable the proxy, open the advanced header controls, and set the page URL where the stream normally plays as the Referer. The proxy forwards that Referer to the HLS origin.
Why cannot the browser set Referer directly?
Referer and User-Agent are protected request headers. Browser JavaScript cannot freely rewrite them for direct media requests, so custom header testing needs a proxy that forwards the headers server-side.
What Referer should I use for hotlink-protected HLS?
Use the original web page URL where the stream is embedded, not the .m3u8 URL. Many origins check that page before serving manifests, keys, or media segments.
Should I also change the User-Agent?
Only if the origin filters by client. Start with Referer alone, then add a normal desktop browser User-Agent if the stream is still rejected.
Does custom Referer bypass DRM?
No. Referer can help with hotlink protection, but it does not bypass DRM systems such as Widevine, FairPlay, or PlayReady.