How do I prevent users for generating image transformations by playing with URL parameters?




  • Avatar
    Mitchell Malpartida
    For someone new to the system and very excited about using it I would think it would be better to have a "strict" first rather than a "dynamic" first type mentality.
  • Avatar
    Andrea Verlicchi

    And how do you know if the transformations are explicitly requested by the developer?

  • Avatar
    Maor Gariv


    Sorry for the very late reply, we have noticed that this request was left unattended. I guess this is not relevant anymore but for future reference -

    Only transformations that are explicitly marked as allowed in the console or named transformations or signed_URLs (generated server-side using an authenticated API) can be dynamically created.

    For more information,

  • Avatar
    Hendy Irawan

    @Maor, I'd love to use strict transformations but it seems it's incompatible with Responsive with Client-Hints ?

    What I'd like to do is only restrict to some base transformations (watermark, effects, etc.), but still allow Responsive transformations i.e. via Client Hints. How do I do this?

    Currently to support responsive I have to disable strict transformations.

    i.e. when I try to use both features I got this server response:

    Status:401 Unauthorized
    X-Cld-Error:Transformation c_scale,dpr_2.0,f_webp,fl_awebp,q_auto,t_sc_thumb,w_400/ is not allowed

  • Avatar
    Maor Gariv

    Hi Hendy,


    Sorry for the delayed response.


    You can leverage our `f_auto, dpr_auto` with strict transformations by allowing these specific transformations. In your case, allowing `c_scale,dpr_2.0,f_auto,q_auto,t_sc_thumb,w_400` and `c_scale,dpr_1.0,f_auto,q_auto,t_sc_thumb,w_400` should work.


    Makes sense?

    Let me know if it works for you.

    Kind regards,


Please sign in to leave a comment.