Can I make my course videos 100% pirate-proof?

No. Anyone with a phone camera or a screen-capture tool can record playback. The realistic goal is to make piracy inconvenient enough that casual sharing stops and large-scale ripping becomes uneconomic.

Do I need full DRM (Widevine/FairPlay/PlayReady) for a paid course?

Almost never. DRM is mandated for studio-licensed content (Hollywood films, premium series). For self-produced courses, AES-128 multi-key encryption plus signed URLs and a per-viewer watermark is enough deterrent — and it costs a fraction of the price.

How effective are video watermarks against piracy?

Dynamic per-viewer watermarks (the viewer's email or user ID burned into the video at playback) are one of the highest-leverage deterrents. They don't prevent leaks, but they make leakers identifiable, which prevents most leaks before they happen.

Will yt-dlp still work on my videos?

If your videos are unencrypted MP4s on a public CDN, yes. If they're served as AES-128 encrypted HLS with signed key URLs and domain locking, yt-dlp variants stop working for casual users. Determined attackers can still capture playback, but the bulk-download workflow breaks.

What about screen recording — isn't that game over?

Screen recording always works. The point of anti-piracy is not to stop a determined attacker; it's to break the cheap, automated, mass-distribution path. A watermarked screen recording is also legally and reputationally risky for the leaker.

Should I block download tools at the network level?

You can't reliably. Focus on what you control: encrypted segments, short-lived signed URLs, domain whitelisting, and watermarks. Network-level detection is brittle and arms-race-y.

How to Stop Course Video Piracy in 2026 — A Practical Guide

Every course creator eventually finds their material on Telegram, Discord, or a knockoff site. The instinct is to lock everything down. The reality is more nuanced: most piracy is preventable with three or four layers of friction, and the rest is theatre.

This guide is the realistic playbook. We’ll skip the snake oil and focus on what actually moves the needle.

Understand the threat model

Before you spend on protection, name your attacker:

The casual sharer. A student who downloads a video and DMs it to a friend. By far the most common.
The bulk re-uploader. Someone who downloads your full library and reposts it on a piracy site or Telegram channel.
The competitor scraper. Rare, but exists for high-ticket niches (trading, real estate coaching).
The determined ripper. Has hardware HDMI capture, multiple devices, automation. You will not stop this person; you can only make them not worth the effort.

The first two are 95% of your problem. They’re also the cheapest to deter.

Layer 1: Encrypt your video segments (table stakes)

Plain MP4 files on a public CDN are a one-line yt-dlp command away from your hard drive. The minimum bar in 2026 is AES-128 encrypted HLS segments with the key delivered separately at playback time.

AES-128 video encryption breaks each video into ~6-second segments, each encrypted with a 128-bit key. The player fetches the key over HTTPS, decrypts segments in memory, and feeds them to the <video> element. Without the key, the segments are garbage bytes.

If you’re using AVCaption, this is on by default. If you’re rolling your own with FFmpeg, the relevant flags are -hls_key_info_file and -hls_enc 1. Cloudflare Stream and Mux apply their own encryption automatically.

Better: multi-key HLS. Rotate the key every N segments (every ~60 seconds). A captured key URL only exposes one minute of video, not the whole file. AVCaption uses this by default; most other platforms only do single-key HLS.

Layer 2: Sign your playback URLs

An encrypted segment is useless without the key, but the key URL itself is just a URL. If it’s static and public, an attacker grabs it once and re-uses it forever.

The fix is signed URLs: the player requests the key URL with a short-lived token (5–15 minutes) bound to viewer IP, embed referrer, or user session. The server verifies the token before returning the key.

This kills the “scrape once, rip forever” workflow. It does not stop a real-time capture, but it dramatically raises the cost of bulk extraction.

Layer 3: Domain whitelisting

Even with encrypted, signed playback, an attacker can iframe your embed onto their own page. Domain whitelisting checks the Referer and Origin headers against an allowlist. If your video is embedded on student-portal.example.com, only requests from that origin get a key.

This is a soft check (Referer can be spoofed by tooling), but it stops the lazy 80% — the resellers who paste your iframe into a knockoff site without rewriting headers.

AVCaption has per-video domain whitelisting in the dashboard. Most enterprise hosts do too. If yours doesn’t, that’s a red flag.

Layer 4: Dynamic per-viewer watermarks

This is the highest-leverage anti-piracy feature you can deploy, and it’s underused.

A dynamic watermark burns a viewer’s identifier (email, user ID, last 4 digits of phone) into the video at playback time, semi-transparently, in a moving location. When a leaked copy surfaces, you know exactly who leaked it.

Two effects:

Pre-leak deterrence. Once students know their email shows up in any leak, sharing collapses. The math changes from “who would notice?” to “definitely notice me.”
Post-leak recourse. You can identify the leaker, revoke their access, and (if you have terms of service) pursue chargebacks or legal action.

Watermarks don’t prevent screen capture. They make screen capture personally risky for the capturer.

Layer 5: Rate limiting and abuse signals

Set a sane per-IP and per-user rate limit on key endpoints. A normal viewer fetches a few keys per minute (one per ~60-second batch). A ripper trying to download everything fetches hundreds per minute. That’s a clear signal — block, log, alert.

Pair with anomaly detection: same user fetching keys from 12 IPs in 10 minutes? Probably credential sharing. Auto-flag and review.

What’s NOT worth your time

A few things look like security but aren’t:

Right-click “Save Video As” disabled. Cosmetic. Modern players already prevent native download for HLS streams.
Disabled keyboard shortcuts. Annoying for legitimate users, useless against ripping tools.
Obfuscated URLs. Adds confusion, not security. Anyone running browser DevTools sees the real URL.
DMCA whack-a-mole. Useful for high-value content, but exhausting. Watermarks scale better — let leakers self-deter.

A realistic stack for 2026

For a typical paid course or membership site, the stack that’s worth deploying:

AES-128 multi-key HLS — encrypt the segments.
Signed playback URLs with 5–15 min TTL — break scrape-once-rip-forever.
Domain whitelist — kill iframe re-hosting by lazy resellers.
Dynamic per-viewer watermark — deter leaks before they happen, identify leakers when they do.
Rate limit + anomaly alerts — catch automated rippers fast.

You don’t need Widevine DRM unless your contract demands it. See our breakdown: AES-128 vs DRM for online courses.

How AVCaption fits in

AVCaption ships layers 1–4 by default on Premium, with layer 5 on the roadmap. Multi-key AES-128 HLS, signed embed tokens, per-video domain whitelist, and dynamic watermark are all dashboard toggles. Pricing is flat at $100/month per 5 TB so your bandwidth bill doesn’t scale with successful launches.

We’re not the only good option. Bunny Stream is cheaper if you’re tiny and don’t need watermarks. VdoCipher is the right call if you have a Widevine DRM mandate. Cloudflare Stream is fine if you’re already on the Cloudflare bill.

Bottom line

You can’t build an unrippable course. You can build a course that is expensive enough to rip that nobody bothers. That’s the realistic win condition.

The 4-layer baseline is on AVCaption’s free tier — upload one lesson, enable the domain whitelist, and try yt-dlp against the embed URL. If you can’t pull the segments, your casual-pirate problem is mostly solved. The per-viewer watermark layer (Enterprise) is the upgrade for high-value content where you also want to identify the leaker.