WebRTC is an open-source technology that enables real-time communication directly in web browsers and mobile apps. It powers video, voice, and data sharing between users without plugins or external software. Learn more about WebRTC from webrtc.org.
WebRTC security is a top concern for anyone building a video chat or live streaming app. WebRTC is designed to be safe from the start — it mandates DTLS-SRTP encryption on every media stream per IETF RFC 8827. But that built-in protection is only part of the story. To keep your streams fully protected, you need to understand where the security is enforced at the protocol level, and where your application is responsible for filling the gaps.
Before diving into the security details, it’s worth understanding how WebRTC establishes connections in the first place. For the full protocol architecture — ICE candidates, STUN/TURN negotiation, and SDP exchange — see What is WebRTC and How Does WebRTC Work?
Table of Contents
What Makes WebRTC Secure by Default?
WebRTC enforces mandatory encryption on every media and data channel — no configuration required, no opt-out path, no way to send unencrypted audio or video even by accident. This requirement is defined at the specification level in IETF RFC 8827 (WebRTC Security Architecture), which mandates DTLS-SRTP as the sole permitted encryption mechanism for all WebRTC media streams. Browser vendors enforce this independently — Chrome, Firefox, Safari, and Edge will all reject any WebRTC implementation that attempts to bypass it.
The security model covers three distinct layers: media stream encryption (handled by SRTP), key exchange and peer authentication (handled by DTLS), and device access control (handled by browser permission gates). Each layer addresses a different attack surface. SRTP prevents eavesdropping on media in transit. DTLS prevents man-in-the-middle substitution of encryption keys during connection setup. Browser permissions prevent unauthorized camera and microphone access at the OS level. Together these three layers form the WebRTC mandatory security stack — none of them are optional, and none can be selectively disabled by application developers.
How Does WebRTC Enforce End-to-End Encryption?
WebRTC enforces end-to-end encryption at the transport layer through mandatory DTLS-SRTP, meaning every audio and video frame is encrypted before it leaves the sender’s device and can only be decrypted by the intended recipient. This protection applies regardless of the network path — whether the media travels directly between two browsers or through a relay server such as a TURN server, the DTLS encryption wraps the payload at the endpoint and the relay server cannot access plaintext media.
RFC 8827 requires that the API generate a new DTLS key pair for every new call by default, which prevents call sessions from being linked to each other even by an attacker who captures both streams. The specification also requires that the negotiated DTLS-SRTP keying material never be exposed to JavaScript — the browser holds the keys internally and no application code can extract them. This architecture means that even a malicious or compromised web page cannot access the raw decryption keys for an active WebRTC session, regardless of what JavaScript it executes.
What Does SRTP Do in WebRTC?
SRTP (Secure Real-time Transport Protocol, RFC 3711) encrypts the actual audio and video payloads in a WebRTC stream and provides three cryptographic guarantees: confidentiality (payload encryption), integrity (tamper detection via HMAC-SHA1 authentication tags), and replay protection (sequence number tracking that blocks replayed packets). SRTP is specifically designed for real-time media transport — it adds minimal overhead compared to standard RTP, making it suitable for latency-sensitive applications where DTLS alone would be too heavyweight for per-packet encryption.
SRTP does not perform its own key exchange. The symmetric encryption keys that SRTP uses are derived entirely from the DTLS handshake through the DTLS-SRTP profile (RFC 5764). This means SRTP and DTLS are not independent systems — SRTP depends on DTLS to establish the keying material before any media can flow. The mandatory cipher suite for SRTP in WebRTC implementations is SRTP_AES128_CM_HMAC_SHA1_80, which provides 128-bit AES counter-mode encryption with an 80-bit HMAC-SHA1 authentication tag per RFC 8827. Implementations must support this profile and must prefer cipher suites that support Perfect Forward Secrecy (PFS) over non-PFS alternatives.
What is DTLS and Why Does WebRTC Use It Instead of TLS?
DTLS (Datagram Transport Layer Security, RFC 6347) is a datagram-adapted variant of TLS designed specifically for UDP transport — the protocol that WebRTC uses for real-time media delivery. Standard TLS operates over TCP and assumes ordered, reliable packet delivery. DTLS replicates TLS’s cryptographic security model for unreliable, unordered datagram channels by adding retransmission logic, an explicit sequence numbering system, and replay attack protection that standard TLS does not need because TCP provides ordering guarantees natively.
In the DTLS-SRTP handshake sequence, both endpoints exchange certificates, verify each other’s identity, and negotiate the SRTP keying material — all before the first media frame is transmitted. The fingerprint of each peer’s DTLS certificate is embedded in the SDP offer/answer exchange during signaling, which is why secure signaling (WSS rather than WS) is essential: if an attacker can modify the SDP in transit, they can substitute their own DTLS fingerprint and intercept the media stream. RFC 8827 explicitly states that signaling channel security is a prerequisite for DTLS-SRTP’s man-in-the-middle protections to hold. As of 2025, the WebRTC ecosystem is migrating from DTLS 1.2 to DTLS 1.3 (RFC 9147), with modern browsers phasing out DTLS 1.0 and 1.1 — implementations should negotiate DTLS 1.3 where available and reject connections offering only deprecated versions.
How Do Browser Permissions Protect WebRTC Users?
Browser permissions block camera and microphone access at the operating system level — no WebRTC application can capture media without the user granting explicit consent through the browser’s native permission prompt. This permission model is enforced by the getUserMedia() API, which returns a NotAllowedError and does not provide access to any media device if the user declines or if the browser’s system-level permission has been revoked. WebRTC APIs are also restricted to HTTPS origins only — a page served over plain HTTP cannot call getUserMedia() at all, which means any WebRTC application requires a valid SSL certificate to function.
Permission grants are scoped to the origin that requested them and are not transferred between domains. Once a user grants camera access to example.com, that permission does not extend to subdomain.example.com or any other origin. Permission state can be queried programmatically via the Permissions API (navigator.permissions.query({name: 'camera'})) in Chrome-based browsers, though Firefox’s implementation is more limited. Applications should handle permission denial gracefully — on Chrome, a declined permission blocks the site from re-prompting on reload, requiring the user to manually reset it from the browser’s site settings panel. Robust WebRTC applications check permission state before initiating media capture and provide clear instructions for restoring access when the user has inadvertently blocked the site.
What is DTLS-SRTP and How Does WebRTC Use It by Default?
DTLS-SRTP is the unified encryption protocol profile defined in RFC 5764 that WebRTC mandates for all media streams — it combines DTLS key negotiation with SRTP media encryption into a single integrated handshake, ensuring that every WebRTC call is encrypted by default with no configuration required from the application developer. The “by default” guarantee is not a convention or best practice — it is a hard requirement of the WebRTC specification that browser vendors must enforce, meaning there is no API surface through which a developer could accidentally ship an unencrypted WebRTC stream.
Understanding DTLS-SRTP requires understanding that DTLS and SRTP are not two separate, sequential systems — they are tightly coupled in the RFC 5764 profile. DTLS performs the authenticated key exchange and derives the SRTP master key and salt through the use_srtp DTLS extension. Once the DTLS handshake completes, the derived keying material is used to initialize the SRTP context, and from that point all media flows through SRTP-encrypted RTP packets. DTLS does not continue to wrap individual media packets after handshake completion — that would be too expensive for real-time transport. Instead, DTLS establishes the keys once, SRTP uses those keys for the lifetime of the session, and DTLS handles re-keying only if the session requires it.
What is the DTLS-SRTP Key Exchange Sequence in WebRTC?
The DTLS-SRTP handshake in WebRTC follows a 5-step sequence that executes after ICE connectivity checks complete and before the first media packet is transmitted.
- SDP fingerprint exchange via signaling. During the SDP offer/answer exchange, each peer includes the SHA-256 fingerprint of its DTLS certificate in the
a=fingerprintattribute. This fingerprint is transmitted through the signaling channel — which is why the signaling channel must use WSS (Secure WebSocket) or HTTPS. If an attacker modifies the SDP in transit, they can substitute a different fingerprint and perform a man-in-the-middle attack on the DTLS layer. - DTLS ClientHello / ServerHello. After ICE establishes a working candidate pair, the DTLS handshake initiates. One peer acts as the DTLS client and the other as the DTLS server (determined by the SDP
a=setupattribute:actpass,active, orpassive). They exchange cipher suite preferences, session parameters, and random values. - Certificate exchange and fingerprint verification. Each peer sends its DTLS certificate. The receiving peer computes the certificate’s SHA-256 fingerprint and compares it against the fingerprint received in the SDP. A mismatch aborts the connection immediately. This step is the core MITM protection — an attacker who intercepts media but cannot modify the SDP cannot forge a matching certificate.
- Key derivation via
use_srtpextension. The DTLS handshake uses theuse_srtpextension to negotiate the SRTP protection profile (mandatory minimum:SRTP_AES128_CM_HMAC_SHA1_80). The master secret from the DTLS key exchange is passed through the DTLS-SRTP key derivation function to produce separate SRTP master keys and salts for each direction of the media stream. - SRTP context initialization. Each peer initializes its SRTP context with the derived keys. Media transmission begins. All subsequent audio and video RTP packets are encrypted with AES-128 counter mode and authenticated with an 80-bit HMAC-SHA1 tag per packet. DTLS is no longer involved in per-packet processing — SRTP handles all ongoing encryption independently.
This five-step sequence executes automatically within the browser’s WebRTC implementation — application code triggers it by calling RTCPeerConnection and has no visibility into the key material at any stage. RFC 8827 explicitly prohibits the JavaScript API from exposing the negotiated DTLS-SRTP keying material, which is why WebRTC’s encryption cannot be bypassed from the application layer even in a compromised web page.
What is the DTLS 1.3 Migration and Why Does It Matter for WebRTC?
The WebRTC ecosystem is actively migrating from DTLS 1.2 to DTLS 1.3 (RFC 9147) as of 2025, with major browsers phasing out support for DTLS 1.0 and 1.1. DTLS 1.3 reduces the handshake from two round trips to one, improves Perfect Forward Secrecy through mandatory ephemeral key exchange, and removes several deprecated cipher suites that existed in DTLS 1.2. For production WebRTC applications, this migration means that media server implementations must negotiate DTLS 1.3 where the client supports it and must reject connections offering only deprecated versions to avoid protocol downgrade attacks. Ant Media Server’s WebRTC stack handles DTLS version negotiation automatically — applications built on AMS inherit these protections without requiring manual cipher configuration.
Where Can WebRTC Security Be Compromised?
WebRTC’s mandatory DTLS-SRTP encryption protects the media transport layer, but three distinct attack surfaces exist outside that layer: the signaling channel, client IP address exposure through ICE candidate discovery, and application-level authorization gaps that exist regardless of how well the media stream itself is encrypted.
Why is Unsecured Signaling a WebRTC Security Risk?
Unsecured signaling is the highest-severity WebRTC vulnerability because it breaks the DTLS-SRTP man-in-the-middle protection entirely. The SDP offer/answer exchange carries the DTLS certificate fingerprints that both peers use to verify each other’s identity during the DTLS handshake. If signaling runs over plain WebSocket (ws://) rather than Secure WebSocket (wss://), an attacker on the network path can intercept the SDP, replace both peers’ DTLS fingerprints with their own, and establish separate DTLS sessions with each peer — forwarding media between them while decrypting and re-encrypting everything in real time. From both peers’ perspectives, the DTLS handshake succeeds and the stream appears encrypted, but the attacker is decrypting every frame.
RFC 8827 is explicit on this point: if HTTPS is not used to secure communications to the signaling server and the identity mechanism is not deployed, any on-path attacker can replace the DTLS-SRTP fingerprints in the handshake and substitute its own identity for either endpoint. This is not a theoretical vulnerability — it is the documented attack model for WebRTC signaling. The mitigation is straightforward: all WebRTC signaling must use wss:// (Secure WebSocket) or HTTPS, and signaling endpoints must present valid SSL certificates. Ant Media Server enforces this on port 5443 once SSL is configured — the secure WebSocket URL is wss://{ant-media-server}:5443/live/websocket.
How Does WebRTC Expose Client IP Addresses?
WebRTC’s ICE candidate gathering process discovers and shares a user’s local network addresses and public IP address as part of establishing the optimal connection path. In direct peer-to-peer topologies, these ICE candidates are shared with the remote peer, which means both participants learn each other’s IP addresses — including local network addresses from multiple interfaces. For applications where user anonymity matters (legal consultations, whistleblower platforms, sensitive telehealth), this IP exposure can deanonymize users even if the media content itself is fully encrypted.
Modern browsers partially mitigate this through mDNS obfuscation of local candidates — Chrome and other Chromium-based browsers replace local IP addresses in ICE candidates with randomized mDNS hostnames, preventing the remote peer from learning the user’s local network topology. Public IP addresses discovered through STUN servers remain exposed in standard P2P configurations. The complete mitigation for IP privacy is routing WebRTC traffic through a media relay server: when Ant Media Server handles the connection, each client’s ICE candidates resolve to the AMS server’s address rather than to the peer’s device. Neither participant learns the other’s IP address because all media traffic routes through AMS endpoints — the privacy protection comes from the media relay architecture, not from the signaling layer.
What Application-Level Security Risks Does WebRTC Not Cover?
WebRTC’s encryption protects media in transit but provides no mechanism for controlling who is authorized to publish or play a stream — that responsibility belongs entirely to the application layer. A stream protected by perfect DTLS-SRTP encryption is still accessible to any client that can connect to the stream endpoint if no application-level authorization is enforced. Common application-level gaps include: absent or weak stream publish authorization (allowing any client to broadcast to your platform), missing playback tokens (allowing stream URL discovery to be sufficient for viewing), and inadequate account security (allowing credential theft to grant legitimate access to private streams).
What is the permissions-policy encrypted-media Directive and How Does It Relate to WebRTC?
The Permissions-Policy: encrypted-media HTTP header directive controls whether a document is allowed to use the Encrypted Media Extensions (EME) API — specifically the Navigator.requestMediaKeySystemAccess() method used for DRM-protected media playback. It is distinct from WebRTC’s DTLS-SRTP encryption: DTLS-SRTP is WebRTC’s built-in transport encryption, while encrypted-media governs DRM key system access for protected content playback via HTML5 video elements. The two systems operate independently.
The directive appears frequently in WebRTC security searches because developers embedding WebRTC alongside DRM-protected media often configure Permissions-Policy headers that inadvertently affect both systems. The default allowlist for encrypted-media is self, meaning the feature is permitted for the current origin but blocked in cross-origin iframes unless explicitly allowed. Where a policy blocks this feature, requestMediaKeySystemAccess() rejects with a SecurityError DOMException. For WebRTC-only applications that do not use EME/DRM, the encrypted-media directive has no effect on DTLS-SRTP media encryption — setting Permissions-Policy: encrypted-media=() to block EME will not disable WebRTC’s transport encryption.
How Does Ant Media Server Deliver End-to-End WebRTC Security?
Ant Media Server builds on WebRTC’s DTLS-SRTP foundation and adds four application-layer security mechanisms — JWT stream security, hash-based token control, TOTP subscriber authentication, and webhook authorization — that cover the authorization and privacy gaps the WebRTC specification deliberately leaves to the application developer.
How Does Ant Media Server Secure the Signaling Channel?
Ant Media Server uses Secure WebSocket (wss://) for all WebRTC signaling on port 5443, once SSL is configured on the server. The secure signaling endpoint is wss://{ant-media-server}:5443/live/websocket — this ensures that SDP offer/answer exchanges, ICE candidate negotiation, and DTLS fingerprint transmission are all TLS-encrypted in transit, eliminating the man-in-the-middle attack vector described in RFC 8827. SSL configuration requires a valid certificate installed via AMS’s built-in Let’s Encrypt integration or a manually provisioned certificate — the SSL setup guide in Ant Media Server documentation covers both paths.
What Are the 4 Stream Security Mechanisms in Ant Media Server?
Ant Media Server provides four distinct stream security mechanisms, each addressing a different authorization architecture. All four are configurable independently for publish and play operations — you can, for example, require JWT tokens for playback while using webhook authorization for publish, or require TOTP for publishers while leaving playback open.
1. JWT Stream Security Filter (AMS 2.3+)
JWT Stream Security uses HMAC-SHA256 to sign time-limited tokens that authorize specific publish or play operations. Tokens are scoped to a streamId and an operation type (publish or play) and carry a Unix timestamp expiration. Token generation can be performed in two ways: via the AMS REST API endpoint /rest/v2/broadcasts/{streamId}/jwt-token?expireDate={ts}&type=publish, which returns a tokenId; or directly on your own backend using any HMAC-SHA256 JWT library with the shared secret key configured in the AMS web panel. Once JWT security is enabled for an application, any publish or play request without a valid token returns an unauthorized access error. The token is passed as a URL parameter for RTMP (rtmp://domain/live/streamId?token=tokenId), SRT (srt://domain:4200?streamid=live/streamId,token=tokenId), and WebRTC (inserted into the WebSocket publish/play message as the token field).
2. Hash-Based Token (AMS 1.6.2+)
Hash-based tokens provide stream-level access control using a shared secret and stream ID to generate an HMAC hash that authorizes publish or play. This mechanism is available in Ant Media Server from version 1.6.2 and is configured through the stream security settings in the AMS web panel. Unlike JWT tokens, hash-based tokens do not use the full JWT standard structure — they provide a simpler HMAC-based verification path suitable for applications that already have backend infrastructure for generating and validating keyed hashes.
3. Time-Based One-Time Password / TOTP
TOTP in Ant Media Server implements the HOTP algorithm extended with time-based uniqueness, creating tokens that are valid for a 60-second window by default. Each publisher or player is registered as a subscriber with a unique subscriberId and a base32-encoded subscriberCode (secret key, minimum 8 characters). When TOTP is enabled, clients must provide both their subscriberId and the time-derived token generated from their subscriberCode to publish or play. In the JavaScript SDK, this is passed as: webRTCAdaptor.publish(streamId, null, subscriberId, subscriberCode). TOTP tokens expire every 60 seconds by default — this value is configurable in application settings. TOTP also enables per-subscriber statistics: connection events and average bitrate per subscriber are queryable via the REST API at /rest/v2/broadcasts/{streamId}/subscriber-stats/list/{offset}/{size}.
4. Webhook Stream Authorization
Webhook authorization gives you complete control over publish authorization by routing every stream initiation through your own backend logic. When webhook authorization is enabled, AMS sends an HTTP request to your configured webhook URL every time a stream publish is initiated, including the stream name, application name, and associated metadata. Your server evaluates the request — checking subscription status, content rights, active session validation, or any custom business logic — and returns HTTP 200 to authorize the stream or any other status code to reject it. This mechanism integrates directly with your existing user management system without requiring AMS to manage subscriber credentials. For the technical setup, see the Webhook Stream Authorization documentation.
How Does Ant Media Server Protect Client IP Privacy?
Ant Media Server eliminates peer IP address exposure by routing all WebRTC media traffic through AMS’s own endpoints. In an AMS deployment, each client’s ICE candidates resolve to the Ant Media Server’s network address — not to the peer’s device. This means neither the publisher nor any viewer learns the other’s IP address at any point in the session. The privacy protection is a consequence of AMS’s media relay architecture: because media flows through AMS rather than directly between clients, the server acts as the ICE endpoint for both sides, and client IP addresses never appear in each other’s ICE candidate lists. This architecture is standard for SFU (Selective Forwarding Unit) media servers and is distinct from signaling-layer protections.
How is the Ant Media Server Management Interface Secured?
Once SSL is configured on Ant Media Server, all management interfaces — the web panel, REST API endpoints, and WebRTC signaling — operate exclusively over TLS on port 5443. The web management panel uses AMS’s built-in user management with role-based access control. REST API requests to the management interface can be further secured using JWT-based API authentication, configurable from the security settings in the web panel. Before SSL is configured, the server is accessible on port 5080 over plain HTTP — production deployments must complete SSL setup and should restrict port 5080 access at the firewall level to prevent unencrypted management access.
Frequently Asked Questions
Is WebRTC encrypted by default?
Yes — WebRTC mandates DTLS-SRTP encryption on every media stream per IETF RFC 8827, with no opt-out path available to application developers. Browser vendors enforce this requirement independently. Every audio and video frame is encrypted before leaving the sender’s device. There is no API surface that allows sending unencrypted WebRTC media, even accidentally.
What is the difference between DTLS and SRTP in WebRTC?
DTLS performs the authenticated key exchange and derives the encryption keys; SRTP uses those keys to encrypt individual audio and video packets. They are defined as a unified profile in RFC 5764 (DTLS-SRTP) — SRTP cannot operate without the keying material that DTLS provides. DTLS runs once at session setup; SRTP handles all per-packet encryption for the duration of the call.
Can WebRTC be intercepted or hacked?
The DTLS-SRTP media encryption cannot be broken without access to the session keys. The realistic attack surface is the signaling channel: if SDP is transmitted over plain WebSocket (ws://), an attacker can substitute DTLS fingerprints and perform a man-in-the-middle attack on key exchange. Using wss:// for signaling and validating DTLS certificate fingerprints against the SDP eliminates this vector.
Does WebRTC expose my IP address?
WebRTC ICE candidate gathering exposes the client’s public IP address in direct peer-to-peer connections. Modern Chromium-based browsers obfuscate local network addresses using mDNS hostnames, but public IPs remain exposed via STUN discovery. Routing WebRTC through a media relay server such as Ant Media Server eliminates this — all ICE candidates resolve to the server address, and neither peer’s real IP is exposed to the other.
What stream security options does Ant Media Server provide?
Ant Media Server provides four stream security mechanisms: JWT Stream Security Filter (HMAC-SHA256 signed tokens, AMS 2.3+), Hash-Based Token (HMAC verification, AMS 1.6.2+), Time-Based One-Time Password / TOTP (60-second token windows with per-subscriber tracking), and Webhook Stream Authorization (custom HTTP callback for publish authorization). All four are configurable independently for publish and play operations from the AMS web panel.
What is the permissions-policy encrypted-media directive and does it affect WebRTC?
The Permissions-Policy: encrypted-media directive controls access to the Encrypted Media Extensions (EME) API used for DRM-protected video playback — it does not affect WebRTC’s DTLS-SRTP transport encryption. Setting encrypted-media=() in a Permissions-Policy header blocks Navigator.requestMediaKeySystemAccess() but leaves WebRTC media encryption fully operational. The two systems are independent; DTLS-SRTP cannot be disabled via Permissions-Policy headers.
Conclusion
WebRTC’s mandatory DTLS-SRTP encryption per RFC 8827 secures media transport at the protocol level — every audio and video stream uses AES-128 counter-mode encryption with HMAC-SHA1 authentication, enforced by browser vendors with no application opt-out. The practical vulnerabilities are in the layers surrounding the media stream: unsecured signaling channels that expose DTLS fingerprints to substitution, ICE candidate discovery that leaks client IP addresses in P2P topologies, and the complete absence of native stream authorization mechanisms in the WebRTC specification itself.
Ant Media Server closes all three gaps: WSS signaling on port 5443 protects the DTLS fingerprint exchange, the media relay architecture eliminates peer IP exposure through ICE candidate routing, and four independent stream security mechanisms — JWT, hash-based tokens, TOTP, and webhook authorization — provide layered publish and playback access control. For teams building production WebRTC applications who want to validate the full DTLS-SRTP handshake behavior, token authorization flows, and stream security configuration against a live server, the 14-day free trial of Ant Media Server Enterprise Edition includes all four security mechanisms and the full WebRTC streaming stack.
