Signing Image Processing
Signing Image Processing requests is an efficient way to ensure that no unwanted image operation can be executed. Every request needs a valid token in order to be delivered. Secure Token and Image Processing is a powerful setup to transform and deliver images in a secure way. If watermark images are signed correctly, the original base image cannot be accessed anymore. Further, we've extended the existing Secure Token feature with the option to add an IP address.
Two Secure Token approaches
There are two different approaches when it comes to securing requests:
- Secure Token for Access Control: This setup constists of the
expireparameters. It focuses on granting access for a defined time frame.
- Secure Token for Image Processing: This setup is also known as signing requests and can only be used in combination with Image Processing. The
expireparameter is not supported. The main goal is authorizing valid request and block any unwanted image transformation.
Signing Image Processing requests
The two settings Secure Token and Image Processing are required for signing Image Processing requests. If a request has an invalid token, it will result in a
403 error. This ensures that an unwanted image operation cannot be executed. Each request will be signed with an individual token. If Image Processing request are not signed, there's the possibility that unwanted image transformation are executed and charged.
Signing Image Processing requests is easy. Only a token is required as shown below.
If signing overlay images, it's important that the base image cannot be guessed or found in a header. Therefore, any canonical header should be disabled. Further, we recommend ensuring the origin is not public and the URL cannot be easily guessed. The procedure of signing watermarks is the same as for any other signature.
Using the IP address with Secure Token
Secure Token for Access Control can still be used as before. However, we've extended the existing Secure Token function with the option to include the IP address of the client. This allows to add an extra layer of protection where the content can only be access with a certain IP address.