Cloudinary effectively supports several methods for handling asset access control. An overview of the available options can be found in our documentation here: https://cloudinary.com/documentation/control_access_to_media
Below is a summary of some of these options, and the suitability of these will depend on your use cases and requirements:
-
Random public IDs - available to all our plans.
Cloudinary allows generating randompublic IDs
for uploaded assets or setting your own identifier. Thepublic ID
being part of the delivery URL for an asset, a randomly generatedpublic ID
will lack a predictable pattern hence, it’s impractical to access a file without the URL provided beforehand by an authorized user. This is a common Web practice for obfuscating the URL at which an asset can be accessed. -
Private assets - available to all of our plans.
You can upload assets with the delivery type set toprivate
using our API or Media Library. The original assets will not be publicly accessible, but derived (transformed) versions will remain available to the public.
This can be used in conjunction with the Strict Transformations feature, which restricts access to only those derived assets with transformations you've approved. This prevents unauthorized users from altering the URL with random transformations, which could otherwise increase your transformation count. For more information onStrict Transformations
and how to enable the feature, please refer to this article.
To access original assets, you can download them via an authenticated API or provide a signed URL. More details can be found in this example from our blog: http://cloudinary.com/blog/how_to_quickly_build_a_stock_photo_site_using_cloudinary -
Authenticated assets - You can upload assets with the delivery type set to
authenticated
using our API or Media Library. Access to the original and derived assets will require one of the authentications below:-
Signed-URL authentication
This requires a signature based on your account'sAPI secret
and can be generated manually or using our server-side SDKs. -
Token-based authentication - available from our Advanced plan.
This allows you to restrict access to the assets only to URLs that include a valid token. Different criteria can be used when generating a token:- a time-based restriction,
- an IP-based restriction,
- an ACL-based restriction (e.g. allowing access to specific assets, folders, or transformation options),
- a User-based restriction.
-
Cookie-based authentication - available from our Advanced plan.
Similar to the token-based authentication but allows you to set the authentication token as a cookie. This requires using a Custom delivery hostname (CNAME) setup so the cookie is applied on your own subdomain.
-
Signed-URL authentication
-
Access-controlled assets - available to all our plans.
You can restrict access to your assets by passing theaccess_control
parameters directly to your API calls, via an upload preset or manually via the Media Library. The Access Control feature has 2 modes:- Via the Media Library:
-
public
- The asset can be accessed by everyone. -
restricted
- The asset can be fully restricted or a time-limited access period can be set so the asset is accessible only in this specific period. Outside of this period, the asset will need to be accessed using the token-based authentication feature.
-
- Via the API:
-
token
- The asset is fully restricted and can only be accessed using the token-based authentication feature. -
anonymous
- The asset can be accessed by everyone or a time-limited access period can be set so the asset is accessible only in this specific period. Outside of this period, the asset will need to be accessed using the token-based authentication feature.
-
This means that if you aren't at least on the Advanced plan, restricting the access of the asset via the Access Control feature will make the asset completely inaccessible. - Via the Media Library:
-
Referral-based restrictions - available from our Advanced plan.
This feature lets you limit access to your account's assets based on the value of the HTTPReferer
header in the requests. This can limit access to your assets to requests originating on your own website(s), or deny requests for your assets if the requests were made via specific sites.
Comments
5 comments
Thanks for these tips. We're looking for a way to ensure our images are not accessed outside the mobile app that we are developing . Is there some way of testing the 'authenticated images' through some demo cloud/site/images that Cloudinary can host, and provide authentication details for test purposes? That way, we can develop the app and upgrade to the advanced plan only when the app goes live.
So how do I do this in the web?
You have just talked about all what we can do, but you didn't say how to do it (?)
I cannot find any option anywhere to make my uploaded images to be private by default.
Where is the option in the web UI ?
Hi Paolo,
Check out this documentation about uploading resources with different type preferences: http://cloudinary.com/documentation/upload_images#control_access_to_images
Which plan is Premium? Is it any paid plan?
Our premium (or enterprise) plan is indeed a paid plan. Since it is fully customizable and tailored to the user's needs, you could contact us in the link below letting us you are interested in that plan, and we will get back to you.
http://cloudinary.com/contact?reason=join
Please sign in to leave a comment.