When uploading assets, it is good practice to verify that the signature in the upload response matches the signature generated on your server-side. This will help prevent a spoofing attack.
Here is an example upload response:
{ public_id: 'sample', version: '1312461204', width: 864, height: 564, format: 'jpg', created_at: '2017-08-10T09:55:32Z', resource_type: 'image', tags: [], bytes: 9597, type: 'upload', etag: 'd1ac0ee70a9a36b14887aca7f7211737', url: 'https://res.cloudinary.com/demo/image/upload/v1312461204/sample.jpg', secure_url: 'https://res.cloudinary.com/demo/image/upload/v1312461204/sample.jpg', signature: 'abcdefgc024acceb1c1baa8dca46717137fa5ae0c3', original_filename: 'sample' }
To verify the signature, the required parameters are public_id, version and api_secret. Here is an example in Ruby:
params_to_sign = {public_id: "sample", version: "1312461204"} Cloudinary::Utils.api_sign_request(params_to_sign, Cloudinary.config.api_secret)
Here is how it's done in the client libraries:
api_sign_request(params_to_sign, api_secret)
api_sign_request($params_to_sign, $api_secret)
api_sign_request = function(params_to_sign, api_secret)
apiSignRequest(Map<String, Object> paramsToSign, String apiSecret)
api_sign_request(params_to_sign, api_secret)
SignParameters(IDictionary<string, object> parameters)
Note that generating a signature is only available on server-side SDKs as one should never expose their API_SECRET in client-side code.
Comments
4 comments
hello i am trying to upload image with the widget, a signed upload.
so, how can i get the version string or is just a ramdon string
Hi,
You don't need to sign to version string.
We created an example of singed upload endpoint with https://webtask.io/.
You need to register (It's free) and create a new function from a template, then just select the signed upload template.
Please try and let me know if it works for you.
Best,
Yakir
This article states that only the public_id and version are the required parameters that needs to be included to verify the signature. However the following docs:
https://support.cloudinary.com/hc/en-us/articles/115001302471-How-to-validate-Cloudinary-webhooks-signature-
https://cloudinary.com/documentation/notifications#verifying_notification_signaturesCloudinary Webhooks and Notifications | Cloudinary
mentions that the entire body needs to be included (stringified I assume?!)
Which one is correct?
Hi Rayee,
The signature that is provided here is for the response to the upload request while the signature that you mentioned is for the notification that we have sent to let your server know that something has been done to your asset.
For generating the signature to verify the notification, the string to be signed needs the body of the notification.
Please let me know if this clears things up.
Regards,
Francis
Please sign in to leave a comment.