CGJU
CGJU
June 1, 2026 ยท 7 min read

403 Forbidden Errors

403 Forbidden is one of the most common errors in video download, indicating that the server understood the request but refused to authorize access. This is usually caused by the website's anti-hotlinking mechanism.

Common Causes of 403 Errors

  • Referer Anti-Hotlinking: The server checks the Referer field in the request header and only allows requests from specific domains
  • Cookie/Session Authentication: Login or a specific session is required for access
  • IP Restriction: The server restricts access from certain IP addresses
  • User-Agent Detection: The server rejects non-browser requests
  • Signature Expiration: Video links include signature parameters with time limits

Solutions

1. Spoof the Referer

Set the correct Referer header in your download tool to simulate a request originating from the video's page. FFmpeg example:

ffmpeg -headers "Referer: https://example.com/video-page" \
    -i "https://example.com/stream.m3u8" -c copy output.mp4

2. Set the User-Agent

Use a browser User-Agent string to simulate a real browser request:

ffmpeg -user_agent "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36" \
    -i "https://example.com/stream.m3u8" -c copy output.mp4

3. Use Cookies

If login is required to watch, you can export cookies from your browser and use them during download:

ffmpeg -headers "Cookie: sessionid=abc123; user=test" \
    -i "https://example.com/stream.m3u8" -c copy output.mp4

CORS Cross-Origin Issues

CORS (Cross-Origin Resource Sharing) is a browser security mechanism that restricts webpages from loading resources from different origins. It's commonly encountered when playing or downloading videos on the web.

What is CORS

When JavaScript code on webpage A (domain a.com) tries to request resources from domain b.com, the browser first sends a preflight request (OPTIONS) to ask if b.com allows a.com access. If b.com's response headers don't have proper CORS settings, the browser will block the request.

  • Access-Control-Allow-Origin: Allowed origin domains for access
  • Access-Control-Allow-Methods: Allowed HTTP methods
  • Access-Control-Allow-Headers: Allowed request headers
  • Access-Control-Allow-Credentials: Whether cookies are allowed
  • Access-Control-Max-Age: Cache duration for preflight requests

Solution Approaches

For developers, if you control the video server, you can configure CORS response headers to allow cross-origin access. For regular users, try the following methods:

  • Use desktop players (like VLC) instead of web players
  • Use browser extensions to disable CORS (for testing only)
  • Set up a proxy server to forward requests
  • Use download tools that support proxy support

Many video websites use HLS streaming, but M3U8 links are not directly displayed on the page. Here are several common extraction methods.

Method 1: Browser Developer Tools

This is the most common and reliable method:

  1. Press F12 on the video page to open Developer Tools
  2. Switch to the Network panel
  3. Type m3u8 in the filter box
  4. Refresh the page and play the video
  5. Find the .m3u8 file in network requests, right-click and copy the link

Method 2: View Page Source

Some websites include M3U8 addresses directly in the page source:

  1. Right-click on the video page and select "View Page Source"
  2. Press Ctrl+F to search for .m3u8
  3. Find the complete M3U8 link

Method 3: Use Browser Extensions

Some browser extensions can automatically detect and extract video addresses:

  • Video DownloadHelper: Supports extracting videos in multiple formats
  • HLS Stream Detector: Specialized in detecting HLS streams
  • Cat Catch: A domestic media resource sniffing extension

Method 4: Use Packet Capture Tools

For complex websites, you can use packet capture tools to analyze all network requests:

  • Charles: A commonly used packet capture tool on Mac/Windows
  • Fiddler: A classic packet capture tool for Windows platform
  • Wireshark: A powerful network protocol analyzer

AES-128 Encrypted Stream Handling

Many HLS videos use AES-128 encryption, where each TS segment is encrypted and requires a key to decrypt and play.

How to Determine If Encrypted

Open the M3U8 file โ€” if you see the #EXT-X-KEY tag, the video is encrypted:

#EXTM3U
#EXT-X-VERSION:3
#EXT-X-TARGETDURATION:10
#EXT-X-MEDIA-SEQUENCE:0
#EXT-X-KEY:METHOD=AES-128,URI="key.key",IV=0x1234567890abcdef
#EXTINF:10.0,
segment0.ts
#EXTINF:10.0,
segment1.ts
#EXT-X-ENDLIST

Encryption Parameters Explained

  • METHOD=AES-128: Encryption method is AES-128
  • URI="key.key": Address of the key file
  • IV=0x...: Initialization vector (optional, defaults to segment number)

How to Handle Encrypted Streams

As long as you can obtain the key, FFmpeg can automatically decrypt and download encrypted HLS videos:

ffmpeg -i "https://example.com/stream.m3u8" -c copy output.mp4

FFmpeg will automatically read the key address from M3U8, download the key, and decrypt. But note:

  • The key file needs to be accessible (may also have anti-hotlinking)
  • If the key address is a relative path, FFmpeg will automatically construct the full address
  • Some websites have more complex logic for key acquisition, which may require additional handling

DRM Protection Explained

DRM (Digital Rights Management) is a more advanced protection mechanism than AES-128, commonly used on paid video platforms.

Common DRM Solutions

  • Widevine: DRM solution by Google, supported on Android and Chrome browser
  • FairPlay: DRM solution by Apple, supported on iOS and Safari
  • PlayReady: DRM solution by Microsoft
  • ChinaDRM: Domestic DRM standard in China

Differences Between DRM and AES-128

Feature AES-128 DRM
Key Acquisition Downloaded directly from address in M3U8 Must be obtained through authorization server
Key Security Low, keys can be intercepted High, keys are hardware-protected
Can Download & Decrypt Yes (with the key) Very difficult
Use Cases Regular video websites Paid videos, movies, etc.

Can DRM Videos Be Downloaded?

DRM-protected videos are very difficult to download and crack directly. DRM videos from legitimate channels (like Netflix, Disney+, etc.) have strict protection mechanisms, including:

  • Keys never appear in plaintext in memory
  • Use secure chips or trusted execution environments
  • Each device has a different key
  • Continuous updates and upgrades to protection mechanisms

For DRM-protected content, we recommend watching through legal channels and respecting copyright.

Referer Anti-Hotlinking

Referer anti-hotlinking is the most common video protection method, and also the easiest to bypass.

How It Works

When a browser requests a resource, it includes the Referer field in the request header, indicating which page the current request originated from. The server decides whether to allow access by checking if the Referer is in the whitelist.

Bypass Methods

  1. Set the correct Referer: Add the video page URL to the request headers
  2. Remove the Referer: Some servers only check if it's empty, not the content
  3. Use specialized tools: Many download tools support custom Referer headers

FFmpeg Referer Setup

ffmpeg -headers "Referer: https://www.example.com/videos/123" \
    -i "https://cdn.example.com/stream.m3u8" -c copy output.mp4

yt-dlp Referer Setup

yt-dlp --referer "https://www.example.com/videos/123" \
    "https://www.example.com/videos/123"

Other Common Issues

1. Video has audio but no video after download

Possible causes:

  • Video codec format not supported by the player (e.g., HEVC/H.265 requires additional plugins on some players)
  • Downloaded file is incomplete, video stream is corrupted
  • Container format issue, try remuxing to MP4

Solution: Try playing with VLC, or re-encode with FFmpeg.

2. Download speed is very slow

Possible causes:

  • Server speed limiting, throttling per-connection speed
  • High network latency, overhead from segmented downloads
  • TS segments too small, too many HTTP requests

Solution: Use tools that support multi-threaded downloading (like N_m3u8DL-RE), or use a proxy for acceleration.

3. Download fails halfway

Possible causes:

  • Unstable network, connection interrupted
  • Video link expired, needs to be re-obtained
  • Server connection limit reached

Solution: Use download tools that support resume, or download in a stable network environment.

4. How to download live streams

Live streams are continuously generated and have no fixed endpoint. You can use the following methods to record:

  • FFmpeg direct recording to file
  • Use live recording software like OBS Studio
  • Use specialized live download tools like streamlink

FFmpeg live recording example:

ffmpeg -i "https://example.com/live.m3u8" -c copy -bsf:a aac_adtstoasc output.mp4

Important Notes

When downloading videos, please note the following:

  • Respect Copyright: Only download videos you have the right to use, do not infringe on others' intellectual property
  • Fair Use: For personal learning and research purposes only, do not use for commercial purposes
  • Follow Website Rules: Do not make frequent requests that burden the server
  • Stay Safe: Use legitimate tools to avoid downloading malware

Summary

Various issues can be encountered in video downloading, from simple 403 errors to complex DRM protection. Understanding the principles and solutions to these problems can help you handle various scenarios more efficiently.

If you need to download M3U8 videos and convert them to MP4 format, try our M3U8 to MP4 Online Tool โ€” no software download needed, conversion can be done right in your browser.

Related Recommendations

More great articles and useful tools

Want to download M3U8 videos?

Use our free M3U8 to MP4 tool โ€” convert online, no software installation needed

Try It Now โžก