Signing Image Processing

By Martin Williams
Published on April 7, 2021
Signing Image Processing

Signing Image Processing requests is an efficient way to ensure that no unwanted image operation can be executed. Every request needs a valid token in order to be delivered. Secure Token and Image Processing is a powerful setup to transform and deliver images in a secure way. If watermark images are signed correctly, the original base image cannot be accessed anymore. Further, we've extended the existing Secure Token feature with the option to add an IP address.

Two Secure Token approaches

There are two different approaches when it comes to securing requests:

  • Secure Token for Access Control: This setup constists of the token and expire parameters. It focuses on granting access for a defined time frame.
  • Secure Token for Image Processing: This setup is also known as signing requests and can only be used in combination with Image Processing. The expire parameter is not supported. The main goal is authorizing valid request and block any unwanted image transformation.

Signing Image Processing requests

The two settings Secure Token and Image Processing are required for signing Image Processing requests. If a request has an invalid token, it will result in a 403 error. This ensures that an unwanted image operation cannot be executed. Each request will be signed with an individual token. If Image Processing request are not signed, there's the possibility that unwanted image transformation are executed and charged.

Signing Image Processing requests is easy. Only a token is required as shown below.


If signing overlay images, it's important that the base image cannot be guessed or found in a header. Therefore, any canonical header should be disabled. Further, we recommend ensuring the origin is not public and the URL cannot be easily guessed. The procedure of signing watermarks is the same as for any other signature.


Using the IP address with Secure Token

Secure Token for Access Control can still be used as before. However, we've extended the existing Secure Token function with the option to include the IP address of the client. This allows to add an extra layer of protection where the content can only be access with a certain IP address.

  • Share

Supercharge your content delivery 🚀

Try KeyCDN with a free 14 day trial, no credit card required.

Get started


Comment policy: Comments are welcomed and encouraged. However, all comments are manually moderated and those deemed to be spam or solely promotional in nature will be deleted.
  • **bold**
  • `code`
  • ```block```
KeyCDN uses cookies to make its website easier to use. Learn more