I'm having difficulties figuring out the correct approach for preventing the following scenario:
In my understanding, if I expose a cloudinary image url to the client, that means a malicious user could make any number of requests for that image, thus being able to endlessly increase my Net Viewing Bandwidth.
Signed urls would not, I think, be an option for mobile apps, which wouldn't be able to keep any secret information.
Should the client always go through a server under my control requesting the image by an internal id, rather than by the cloudinary url? The intermediary server would then request the image from cloudinary and serve it back to the client, so that the client never knows the cloudinary image url?
This approach doesn't seem ideal to me, as the user would need to wait for the image to be downloaded twice (once to the intermediary server and once to the client).
I guess I'm missing out some information... Could you please point me in the right direction?
Post is closed for comments.