The only "risk" in using unsigned uploads with Cloudinary is the possibility that another person will view the source code of your uploader. replicate the configuration and issue uploads from another place onto your account.
However, the following is worth mentioning:
- This will "only" allow them to initiate unsigned-uploads to your account (may result with a certain Storage/Transformations quotas abuse).
- This will NOT allow anyone to Delete / Edit / Overwrite any of your existing content on the account. A list of supported unsigned-upload options is available here.
- As a safety measure, from time to time, you may want to change your upload-preset's name (can be done via the account settings) to reduce the possibility of someone using your configuration without your permission.
- Finally we must say that until the writing of these lines we haven't heard of anyone of our customers experiencing this kind of offense.
Comments
6 comments
Hi,
I've been reading the cloudinary documentation and I have the following concerns:
Regards,
Siphiwe
Hi Siphiwe,
In order to prevent abusing your account quota you can restrict the transformations/storage/image only to signed/authenticated requests.
For our enterprise plans: authenticated (cookie based) delivery, including IP-based, domain-based and white/black-listing.
In regard to the delete, you can either use the Admin API, which indeed uses basic authentication, or use the
destroy
API.The
destroy
API requires a signature as part of the given parameters. The signature is calculated based on the api_secret, but the api_secret isn't actually included in the request itself. https://cloudinary.com/documentation/upload_images#uploading_with_a_direct_call_to_the_apiPlease let me know if that answers your questions
That certainly helps, thanks. How do I generate the signature when not using any of your SDK? I'm using ionic 3 on my current project but I had version compatibility issues so I had to settle for url access to my Cloudinary assets.
Thanks.
Hi Siphiwe,
In order to generate a signature on your own without using our SDK. Please follow the directions here:
https://support.cloudinary.com/hc/en-us/articles/203817991-How-to-generate-a-Cloudinary-signature-on-my-own-
Thanks,
Hi,
My I ask a question:
Causes usually "unsigned preset name" is public at browser/app ends, so anyone can use it to upload files to anyone's account quota? So my account might be full of anyone's files, and so might others? Can't understand it.
Thank you!
Hi Kevin,
Unsigned uploads do indeed allow users to upload into an account without needing an authenticated/signed request. In most cases, however, your app/website would not expose or allow public users (i.e. ones which are not logged in/authenticated) to upload. In such cases, clients often separate different uploads for their users into separate folders or add metadata or tags to associate an upload with a user on their end. In addition, we also allow the ability for you to configure moderation for all uploaded resources in your account so that you would have to approve the uploads via the Media Library or API. Support for add-ons that perform this moderation automatically is also available, such as by using Amazon Rekognition to ensure no explicit/adult images are uploaded.
Having said that, we do recommend going the route of using signed uploads on the client-side too, but of course, for that, you'll need a server that will generate the relevant signature.
Let me know if this clears things up.
Best regards,
Aleksandar
Please sign in to leave a comment.