When uploading assets, it is good practice to verify that the signature in the upload response matches the signature generated on your server. This will help prevent a spoofing attack.
Here is an example upload response:
{ public_id: 'sample', version: '1312461204', width: 864, height: 564, format: 'jpg', created_at: '2017-08-10T09:55:32Z', resource_type: 'image', tags: [], bytes: 9597, type: 'upload', etag: 'd1ac0ee70a9a36b14887aca7f7211737', url: 'https://res.cloudinary.com/demo/image/upload/v1312461204/sample.jpg', secure_url: 'https://res.cloudinary.com/demo/image/upload/v1312461204/sample.jpg', signature: 'abcdefgc024acceb1c1baa8dca46717137fa5ae0c3', original_filename: 'sample' }
To verify the signature, the required parameters are:
- public_id
- version
- api_secret
Example
Ruby On Rails
Using the api_sign_request method:
Cloudinary::Utils.api_sign_request(params_to_sign, api_secret)
PHP
Using the verify_api_response_signature method:
SignatureVerifier::verifyApiResponseSignature($publicId, $version, $signature);
Using the api_sign_request method:
ApiUtils::signParameters($paramsToSign, $apiSecret);
NodeJS
Using the api_sign_request method:
cloudinary.utils.api_sign_request(params_to_sign, api_secret);
JAVA
Using the verify_api_response_signature method:
ApiResponseSignatureVerifier.verifySignature(String publicId, String version, String signature)
Using the api_sign_request method:
cloudinary.apiSignRequest(Map<String, Object> paramsToSign, String apiSecret)
Python
Using the verify_api_response_signature method:
cloudinary.utils.verify_api_response_signature(public_id, version, signature)
Using the api_sign_request method:
cloudinary.utils.api_sign_request(params_to_sign, api_secret)
DotNet
Using the verify_api_response_signature method:
cloudinary.Api.VerifyApiResponseSignature(string publicId, string version, string signature)
Using the api_sign_request method:
cloudinary.Api.SignParameters(IDictionary<string, object> parameters)
Golang
Using the api_sign_request method:
resp, err := api.SignParameters(ParamsToSign, APISecret)
CLI
Using the verify_api_response_signature method:
cld utils verify_api_response_signature $publicId, $version, $signature
Using the api_sign_request method:
cld utils api_sign_request $params_to_sign, $api_secret
Note that generating a signature is only available on our Cloudinary backend SDKs as one should never expose their `API_SECRET` in client-side code.
Comments
4 comments
hello i am trying to upload image with the widget, a signed upload.
so, how can i get the version string or is just a ramdon string
Hi,
You don't need to sign to version string.
We created an example of singed upload endpoint with https://webtask.io/.
You need to register (It's free) and create a new function from a template, then just select the signed upload template.
Please try and let me know if it works for you.
Best,
Yakir
This article states that only the public_id and version are the required parameters that needs to be included to verify the signature. However the following docs:
https://support.cloudinary.com/hc/en-us/articles/115001302471-How-to-validate-Cloudinary-webhooks-signature-
https://cloudinary.com/documentation/notifications#verifying_notification_signaturesCloudinary Webhooks and Notifications | Cloudinary
mentions that the entire body needs to be included (stringified I assume?!)
Which one is correct?
Hi Rayee,
The signature that is provided here is for the response to the upload request while the signature that you mentioned is for the notification that we have sent to let your server know that something has been done to your asset.
For generating the signature to verify the notification, the string to be signed needs the body of the notification.
Please let me know if this clears things up.
Regards,
Francis
Please sign in to leave a comment.