Skip to main content

Overview

Lawn provides powerful sharing features with built-in security controls. Understanding these features helps you share videos safely while maintaining control over your content.

Share Link Security Features

Every share link comes with multiple security layers:

Unique Tokens

  • 32-character random tokens
  • Cryptographically secure generation
  • No predictable patterns
  • Collision detection ensures uniqueness

Password Protection

  • Optional password requirement
  • Passwords hashed using bcrypt
  • Original passwords never stored in plain text
  • Maximum 256 characters

Expiration Dates

  • Set custom expiration (in days)
  • Links automatically invalid after expiration
  • No manual revocation needed
  • Can set no expiration for permanent links

Access Control

  • Rate limiting prevents abuse
  • Failed password lockout after 5 attempts
  • 10-minute lockout after max failures
  • View count tracking
Always use password protection for sensitive client work, even with expiration dates. This adds defense-in-depth security.

Creating Secure Share Links

1

Choose your security level

Decide what protection you need:
// Example configurations

// Basic: Public link with expiration
{
  expiresInDays: 7,
  allowDownload: false
}

// Secure: Password + expiration
{
  expiresInDays: 30,
  password: "SecurePass123",
  allowDownload: false
}

// Maximum security: Password + short expiration + no downloads
{
  expiresInDays: 2,
  password: "TempPass456",
  allowDownload: false
}
2

Create the link

Team members can create share links for any video in their projects. A unique token is generated automatically.
3

Share securely

  • Send the link and password through separate channels
  • Link via email, password via SMS or phone
  • Never send both in the same message

Password Protection

Setting Strong Passwords

Follow these guidelines: Do:
  • Use at least 12 characters
  • Mix letters, numbers, and symbols
  • Use unique passwords for each link
  • Share passwords via separate channel
Don’t:
  • Use common words or phrases
  • Reuse passwords across links
  • Include passwords in the share link URL
  • Share passwords in the same email as the link
For client work, consider using a password manager to generate and securely share passwords. This is especially important when working with multiple clients.

Password Lockout Protection

Lawn automatically protects against password guessing:
  1. 5 failed attempts = account temporarily locked
  2. 10-minute lockout = prevents brute force attacks
  3. Automatic reset = lockout clears after timeout
  4. Rate limiting = 10 attempts per minute maximum
// Built-in protection
const PASSWORD_MAX_FAILED_ATTEMPTS = 5;
const PASSWORD_LOCKOUT_MS = 10 * MINUTE;
This happens automatically—no configuration needed.

Updating Passwords

Change passwords when:
  • Link has been shared too widely
  • Suspicion of unauthorized access
  • Password may have been compromised
  • Changing team members mid-project
Updating a password:
  • Resets failed attempt counter
  • Clears any active lockouts
  • Invalidates old password immediately
  • Existing access grants remain valid

Expiration Management

Setting Expiration Dates

Choose expiration based on use case: Short-term (1-3 days):
  • One-time reviews
  • Urgent feedback needed
  • Sensitive content
  • Time-sensitive projects
Medium-term (7-30 days):
  • Client review periods
  • Multi-round feedback
  • Project milestones
  • Standard workflows
Long-term (60+ days):
  • Ongoing projects
  • Portfolio pieces
  • Reference materials
  • Archived content
No expiration:
  • Public portfolio work
  • Marketing materials
  • Permanent references
  • Published content
When in doubt, use shorter expiration periods. You can always create a new link if needed. This limits exposure if a link is shared beyond intended recipients.

Extending Access

If a link expires while still needed:
1

Create a new share link

Generate a fresh link with new expiration date. This gives you a new token and resets security settings.
2

Update password (optional)

Consider using a different password for the new link, especially if the old link was widely shared.
3

Notify recipients

Send the new link to authorized viewers. Remind them the old link no longer works.

Download Control

Allow Download Setting

Control whether recipients can download videos: Disabled (default):
  • Recipients can only stream
  • Video stays on your platform
  • Maintains tighter control
  • Suitable for most reviews
Enabled:
  • Recipients can download copies
  • Use for final deliveries
  • Client needs offline access
  • Archival purposes
Keep downloads disabled during review phases. Enable only for final approved versions that clients need to keep.

Visibility Settings

Each video has a visibility setting:

Public

  • Default for all new videos
  • Accessible via share links
  • Can generate public URLs
  • Team members always have access

Private

  • Only team members can view
  • Share links won’t grant access
  • Additional security layer
  • Use for internal-only content
Use private visibility when:
  • Video contains sensitive information
  • Not ready for external viewing
  • Internal training or documentation
  • Testing or development work

Access Grants

When someone accesses a share link, Lawn issues an access grant:

Grant Properties

  • Unique grant token per viewer
  • Independent of the share link token
  • Tracks when access was granted
  • Can have own expiration

Grant Lifecycle

  1. User visits share link
  2. Enters password (if required)
  3. System issues grant token
  4. Grant token allows video playback
  5. View count incremented
Access grants allow you to track unique viewers. Multiple accesses from the same link create separate grants, helping you understand how widely content has been viewed.

Rate Limiting

Lawn automatically limits access to prevent abuse:

Global Limits

  • 600 grants per minute across all links
  • Prevents system-wide abuse
  • Automatically enforced

Per-Link Limits

  • 120 grants per minute per share link
  • Prevents targeted abuse of single link
  • Protects against scripted attacks

Password Failure Limits

  • 10 password attempts per minute per link
  • Slows down brute force attacks
  • Works with lockout protection
These limits are transparent to legitimate users while protecting against malicious activity.

Real-World Security Scenarios

Scenario: Client Video Review

Security needs:
  • Client should review but not download draft
  • Access limited to review period
  • Prevent sharing beyond client team
Configuration: 
{
  expiresInDays: 14,
  password: "ClientReview789",
  allowDownload: false
}
Process:
  1. Create share link with password
  2. Email link to client
  3. Call or text password separately
  4. Set 2-week expiration for review period
  5. Create new link if more time needed

Scenario: Public Portfolio Piece

Security needs:
  • Anyone can view
  • No sensitive content
  • Permanent availability
  • Allow social sharing
Configuration: 
{
  expiresInDays: undefined, // No expiration
  password: undefined, // No password
  allowDownload: false // Still control downloads
}
Process:
  1. Create share link without password
  2. Set no expiration
  3. Share link publicly
  4. Monitor view count
  5. Can revoke by deleting link if needed

Scenario: Confidential Internal Video

Security needs:
  • Team members only
  • No external access
  • No risk of leak
Configuration: 
{
  visibility: "private" // Don't use share links
}
Process:
  1. Set video visibility to private
  2. Don’t create any share links
  3. Only team members can access
  4. Share by adding people to team instead

Scenario: Time-Sensitive Announcement

Security needs:
  • Available for short window
  • Public can view during event
  • Automatically expires after
Configuration: 
{
  expiresInDays: 1, // 24-hour access
  password: undefined, // No password needed
  allowDownload: false
}
Process:
  1. Create link day of event
  2. Set 24-hour expiration
  3. Share publicly
  4. Link automatically stops working after event
  5. No manual cleanup needed

Managing Share Links

Link Lifecycle

1

Creation

Generate link with desired security settings. Consider your threat model and access requirements.
2

Distribution

Share link appropriately:
  • Public: Social media, website, email
  • Private: Direct email, secure messaging
  • Confidential: In-person, phone, separate password channel
3

Monitoring

Track link usage:
  • View count shows how many times accessed
  • Failed attempts may indicate issues
  • High view count on private link could mean over-sharing
4

Maintenance

Update as needed:
  • Change password if compromised
  • Extend expiration if still needed
  • Update download permissions for final versions
5

Revocation

Delete link when:
  • Project completed
  • Link compromised
  • No longer needed
  • Creating replacement link

Deleting Share Links

When you delete a share link:
  • Link immediately stops working
  • All access grants invalidated
  • Permanent action, cannot undo
  • Video itself remains unchanged
  • Can create new link anytime
Deleting a share link cannot be undone. Anyone with the old link will lose access immediately. Create a new link before deleting if you need continuous access.

Security Best Practices

Defense in Depth

Use multiple security layers: Low sensitivity:
  • Expiration date only
  • Public visibility
  • Monitor view counts
Medium sensitivity:
  • Expiration date + password
  • Public visibility
  • Disable downloads
  • Share via secure channels
High sensitivity:
  • Short expiration + strong password
  • Private visibility initially
  • Disable downloads
  • Share password separately
  • Consider team membership instead of sharing

Regular Security Audits

Periodically review:
  • Active share links (delete unused ones)
  • Expiration dates (update or extend)
  • Passwords (rotate if needed)
  • View counts (investigate anomalies)
  • Team members (remove inactive users)

Incident Response

If a link is compromised:
1

Immediate action

Delete the compromised share link immediately to cut off access.
2

Assess exposure

Check view count and timing to understand extent of unauthorized access.
3

Create new link

Generate replacement link with new password and shorter expiration.
4

Notify stakeholders

Inform authorized viewers of the new link and explain the change.
5

Review practices

Identify how compromise occurred and update security practices.

Communication Security

When sharing links: Email:
  • Send link in email body
  • Send password via SMS or phone
  • Use encrypted email for sensitive content
Messaging:
  • Use secure messaging apps (Signal, WhatsApp)
  • Still send password separately if possible
  • Avoid posting in public channels
In Person:
  • Best for highly sensitive content
  • Share link digitally, password verbally
  • Confirm recipient understanding

Password Management

For teams managing many share links:
  1. Use a password manager to generate and store share link passwords
  2. Document which links go to which clients in your password manager notes
  3. Set up password rotation schedule for long-lived links
  4. Share team passwords through password manager’s secure sharing features

Compliance Considerations

When working with regulated content:

Audit Trail

Lawn tracks:
  • Who created each share link
  • When links were created
  • View counts (how many times accessed)
  • When links were deleted

Access Control

  • Role-based permissions for creating links
  • Only members and above can create shares
  • Admins can remove any team’s links
  • Owner controls all team access

Data Protection

  • Passwords hashed, never stored plain text
  • Tokens cryptographically secure
  • Rate limiting prevents enumeration attacks
  • Automatic expiration supports data minimization
For GDPR, HIPAA, or other compliance needs, use short expiration periods (7 days or less) and always enable password protection. This demonstrates “appropriate technical measures” for data protection.

Build docs developers (and LLMs) love

Get started for freeTalk to us