Well, you have to understand, the hotlinking prevention stuff we talk about on this page relies on the idea that a browser (or other client) sends a "Referrer" url along with the request for a file. These configs basically block any request that doesn't include an authorized URL as the referrer. It is, of course, trival to fake that, if you know what it is, so it's not really "secure" in anyway. You're using a flash applet as the "client" when it fetches and streams the mp3 file. I don't know how flash handles/passes URLs and whether it sends a referrer or not. If it does, you should be able to restrict the hotlinking to ONLY the url that the flash applet sends. My guess would be it would send the page it's embedded in, but I don't know for sure. I'd try putting a direct link just below the flash applet for testing. If that link (in the same page) works, then the flash applet should work. If it works and the flash doesn't, then it means flash is sending some other referrer (or none at all.)