Skip to main content

How do I prevent users for generating image and video transformations by playing with the URL parameters?

Comments

7 comments

  • Mitchell Malpartida
    For someone new to the system and very excited about using it I would think it would be better to have a "strict" first rather than a "dynamic" first type mentality.
    0
  • Andrea Verlicchi

    And how do you know if the transformations are explicitly requested by the developer?

    0
  • Maor Gariv

    Hi,

    Sorry for the very late reply, we have noticed that this request was left unattended. I guess this is not relevant anymore but for future reference -

    Only transformations that are explicitly marked as allowed in the console or named transformations or signed_URLs (generated server-side using an authenticated API) can be dynamically created.

    For more information,
    http://cloudinary.com/documentation/image_transformations#strict_transformations

    0
  • Hendy Irawan

    @Maor, I'd love to use strict transformations but it seems it's incompatible with Responsive with Client-Hints ?

    What I'd like to do is only restrict to some base transformations (watermark, effects, etc.), but still allow Responsive transformations i.e. via Client Hints. How do I do this?

    Currently to support responsive I have to disable strict transformations.

    i.e. when I try to use both features I got this server response:

    Server:cloudinary
    Status:401 Unauthorized
    Vary:DPR,Width
    X-Cld-Error:Transformation c_scale,dpr_2.0,f_webp,fl_awebp,q_auto,t_sc_thumb,w_400/ is not allowed
    X-Request-Id:fd14846a063af96a
    X-UA-Compatible:IE=Edge,chrome=1

    0
  • Maor Gariv

    Hi Hendy,

     

    Sorry for the delayed response.

     

    You can leverage our `f_auto, dpr_auto` with strict transformations by allowing these specific transformations. In your case, allowing `c_scale,dpr_2.0,f_auto,q_auto,t_sc_thumb,w_400` and `c_scale,dpr_1.0,f_auto,q_auto,t_sc_thumb,w_400` should work.

     

    Makes sense?

    Let me know if it works for you.

    Kind regards,

    Maor

    0
  • worldswingdeejays

    Hi, 

    So It means that we have to authorized every combinaison ? With a 

    w_auto/c_limit,w_400/c_crop,g_custom,q_auto,f_auto/
     
    It's a lot no ?

     

    Thanks.

    0
  • Maor Gariv

    Hey,

    In case of `w_auto` it can indeed stack up to many transformations to allow. We are currently working on a solution to this behaviour.

    That said, depending on your usage, you can still allow few specific transformations (such as when using srcset) or defining a certain rounding step for `width` - w_auto[:rounding step][:width].

    For more information,

    http://cloudinary.com/documentation/image_transformation_reference#width_parameter 

     

    Best,

    Maor

    0

Please sign in to leave a comment.