Protecting Your Flash and Shockwave Content from Thieves

by Gary Rosenzweig

You work hard, invest time, effort and money, and build a game. You put it on your Web site. People from all over the world play your game. Life is good.

Then, one day, you are surfing the Internet and you find a listing for a game with the same name as yours. Wait a minute! That IS your game. Someone took it from your site and placed it on theirs. They didn't ask, they just took.

All your hard work is now being claimed by someone else. But you could have prevented that. Here's how:

It is pretty easy to make sure your Shockwave game can only be run on your site, only in your Web pages. It just takes two steps.

First, you can check to make sure that the Shockwave file is on your server. You can use the moviePath to do that.

if not (the moviePath starts "") then
end if

You may want to check for both the plain domain and the domain with the "www" prefix.

okToPlay = FALSE
if the moviePath starts "" then okToPlay = TRUE
if the moviePath starts "" then okToPlay = TRUE
if not okToPlay then
end if

The code prevents the game from working if the .dcr file is not on your server. But someone could still create an OBJECT/EMBED tag that links across to your site to use your .dcr file. You can prevent this by checking the "src" parameter with the externalParamValue function. if the "src" parameter starts with a "http:", then the .dcr can be on any site. If not, then the .dcr must be on the same site as the HTML page, which is how you should set up your pages.

if externalParamValue("src") starts "http:" then okToPlay = FALSE

By taking these two steps, you can virtually insure that your .dcr Shockwave files cannot be stolen.


A Flash .swf, made with Flash 5 or MX, can be protected equally as well. However, it is a bit more difficult.

First, you can check to see if the .swf file is on your server. Do this by checking the _root._url property.

okToPlay = FALSE;
siteURL = "";
if (_url.substr(0,siteURL.length) == siteURL) {
okToPlay = TRUE;
if (!okToPlay) {

You can check for multiple site URLs, like "" and "".

So that takes care of someone stealing the .swf file and placing it on their server. However, someone could still make an OBJECT/EMBED tag that links to the .swf on your server.

Unfortunately, there is no externalParamValue function in Flash. So you can't read the "src" tag.

However, you can pass variables into Flash using the URL. For instance, "mymovie.swf?id=7&" will load the movie mymovie.swf, with the variable "id" equal to 7.

You can use this to secure your games a little better. Just include the "?id=7&" BOTH your OBJECT and EMBED tag on the HTML page. Then check in the Flash movie to see if "id" equals 7.

if (id == 7) {
okToPlay = TRUE;

If someone steals your game by linking to the .swf on your site, they will most likely copy the "?id=7&" portion of the tag as well.

However, you can open up the Flash movie, change it to check for id == 8, and then change your HTML page to read "?id=8&". So the game still works on your site, but not theirs. They can always change it to match, but chances are it won't be worth it to them to try to keep up with you. You always have the upper hand.

Other Methods

There are lots of other ways to protect your Shockwave and Flash movies. Here are a few:

  • Both Shockwave and Flash can read external text files (getNetText and loadVariables commands). So place a security file on your server that all of your games read, using a local URL. Now if the games are copied to another site, they won't work because the text file is not present.

  • Build in expiration dates. Make a game that will not work after Dec 31. of this year. In Shockwave, "the systemDate" can be used to check for the current date. In Flash, getDate() can be used. Then, at the end of the year, update the games on your site so they expire next Dec. 31. But the stolen games on other sites will all expire.

  • Put copyright notices inside the content. This way, if the movies are stolen, at least you are getting the proper credit anyway. Plus it will be very easy for you to accuse the thief of stealing if the content is labeled. You can just put a plain copyright notice, of go as far as a huge logo and links back to your site. If it is embedded in the game, there is not much they can do to remove it.