Articles in this section

See more

How to verify an upload response signature

Avatar
Daniel Mendoza
  • Updated
Follow

When uploading assets, it is good practice to verify that the signature in the upload response matches the signature generated on your server-side. This will help prevent a spoofing attack. 

Here is an example upload response:

{
 public_id: 'sample',
 version: '1312461204',
 width: 864,
 height: 564,
 format: 'jpg',
 created_at: '2017-08-10T09:55:32Z',
 resource_type: 'image',
 tags: [], 
 bytes: 9597, 
 type: 'upload', 
 etag: 'd1ac0ee70a9a36b14887aca7f7211737', 
 url: 'https://res.cloudinary.com/demo/image/upload/v1312461204/sample.jpg',
 secure_url: 'https://res.cloudinary.com/demo/image/upload/v1312461204/sample.jpg',
 signature: 'abcdefgc024acceb1c1baa8dca46717137fa5ae0c3',
 original_filename: 'sample'
}

To verify the signature, the required parameters are public_idversion and api_secret. Here is an example in Ruby:

params_to_sign = {public_id: "sample", version: "1312461204"}
Cloudinary::Utils.api_sign_request(params_to_sign, Cloudinary.config.api_secret)

Here is how it's done in the client libraries: 

Ruby On Rails:

api_sign_request(params_to_sign, api_secret)

PHP:

api_sign_request($params_to_sign, $api_secret)

Node JS:

api_sign_request = function(params_to_sign, api_secret)

Java:

apiSignRequest(Map<String, Object> paramsToSign, String apiSecret)

Django:

api_sign_request(params_to_sign, api_secret)

.NET:

SignParameters(IDictionary<string, object> parameters) 

Note that generating a signature is only available on server-side SDKs as one should never expose their API_SECRET in client-side code.

Related articles

Comments

4 comments

Sort by Date Votes
  • Avatar
    Imoafrica

    hello i am trying to upload image with the widget, a signed upload.

    so, how can i get the version string or is just a ramdon string

    0
    Comment actions Permalink
  • Avatar
    Yakir Perlin

    Hi, 

    You don't need to sign to version string.

    We created an example of singed upload endpoint with https://webtask.io/.

    You need to register (It's free) and create a new function from a template, then just select the signed upload template.

     

    Please try and let me know if it works for you.

    Best,

    Yakir

    0
    Comment actions Permalink
  • Avatar
    Rayee Roded
    • Edited

    This article states that only the public_id and version are the required parameters that needs to be included to verify the signature. However the following  docs:

    https://support.cloudinary.com/hc/en-us/articles/115001302471-How-to-validate-Cloudinary-webhooks-signature-

    https://cloudinary.com/documentation/notifications#verifying_notification_signaturesCloudinary Webhooks and Notifications | Cloudinary

    mentions that the entire body needs to be included (stringified I assume?!) 

    Which one is correct?

    0
    Comment actions Permalink
  • Avatar
    Francis Tagbo

    Hi Rayee,

    The signature that is provided here is for the response to the upload request while the signature that you mentioned is for the notification that we have sent to let your server know that something has been done to your asset.

    For generating the signature to verify the notification, the string to be signed needs the body of the notification.

    Please let me know if this clears things up.

    Regards,
    Francis

    1
    Comment actions Permalink

Please sign in to leave a comment.