How safe / secure is it to use unsigned upload from web browsers or mobile clients?

Follow

Comments

4 comments

  • Avatar
    Siphiwe

    Hi,

    I've been reading the cloudinary documentation and I have the following concerns:

    • Anyone who has the time and ability is allowed to abuse my account quota? :/
    • To delete images from my mobile app, the admin API authentication is done using Basic Authentication, meaning that someone can grab my API Key and API "Secret" (it seems they are part of the URL!), list all my resources and delete them THAT easily?
    • Isn't there a secure alternative for submitting authentication details (maybe as part of a form) over https and preventing unsecured access to my resources?

    Regards,

    Siphiwe

  • Avatar
    Shirly Manor

    Hi Siphiwe,

    In order to prevent abusing your account quota you can restrict the transformations/storage/image only to signed/authenticated requests. 

    For our enterprise plans: authenticated (cookie based) delivery, including IP-based, domain-based and white/black-listing.

    In regard to the delete, you can either use the Admin API, which indeed uses basic authentication, or use the destroy API.

    The destroy API requires a signature as part of the given parameters. The signature is calculated based on the api_secret, but the api_secret isn't actually included in the request itself. https://cloudinary.com/documentation/upload_images#uploading_with_a_direct_call_to_the_api

    Please let me know if that answers your questions

  • Avatar
    Siphiwe

    That certainly helps, thanks. How do I generate the signature when not using any of your SDK? I'm using ionic 3 on my current project but I had version compatibility issues so I had to settle for url access to my Cloudinary assets.

    Thanks.

  • Avatar
    Shirly Manor

    Hi Siphiwe,

    In order to generate a signature on your own without using our SDK. Please follow the directions here:

    https://support.cloudinary.com/hc/en-us/articles/203817991-How-to-generate-a-Cloudinary-signature-on-my-own- 

    Thanks,

Please sign in to leave a comment.