How do I prevent users for generating image transformations by playing with URL parameters?

While you can dynamically change any transformation you need for your website, we also allow you to "lock-in" your settings by moving to a strict mode on your production systems once you are settled on a design (and fear abuse). This means that only image transformations that were explicitly requested by the developer can be accessed by the website's visitors. This effectively prevents visitors from generating unwanted images on your account. This option is available in the a settings section of our management console.

Have more questions? Submit a request

Comments

  • Avatar
    Mitchell Malpartida
    For someone new to the system and very excited about using it I would think it would be better to have a "strict" first rather than a "dynamic" first type mentality.
  • Avatar
    Andrea Verlicchi

    And how do you know if the transformations are explicitly requested by the developer?

  • Avatar
    Maor Gariv

    Hi,

    Sorry for the very late reply, we have noticed that this request was left unattended. I guess this is not relevant anymore but for future reference -

    Only transformations that are explicitly marked as allowed in the console or named transformations or signed_URLs (generated server-side using an authenticated API) can be dynamically created.

    For more information,
    http://cloudinary.com/documentation/image_transformations#strict_transformations

Powered by Zendesk