This support forum is no longer in use. Please use the Cloudinary Community at https://community.cloudinary.com/ to receive assistance from other members of the community and from Cloudinary's support team. For account-specific questions or if you believe that you've encountered a bug, please contact the Cloudinary team directly via the "submit a request" option on this support site.

Avoid anyone with a signed url link to access the asset

Follow
Avatar
gStudio Team

Hello, we're building an app for multiple users and would like to avoid anyone that gets the signed URL to access the asset(Same use case as this unsolved forum post: https://support.cloudinary.com/hc/en-us/community/posts/360043417672-Private-Authenticated-Media-still-accessible-to-anyone-with-link)

Here's what I've read:

  1. Private assets are only accessible with a signed URL https://cloudinary.com/documentation/control_access_to_media#private_media_assets
  2. Anyone with a signed URL is able to access the file https://support.cloudinary.com/hc/en-us/community/posts/115001874511-Authenticated-or-private-images-still-accessible-to-anyone-with-access-to-the-URL
  3. Signed URLs are a combination of the transformation + the path + the private-key https://cloudinary.com/documentation/advanced_url_delivery_options#generating_delivery_url_signatures

My questions

  1. As the signed URLs are a combination of those previously noted params, we assume that they do not have an expiration date, is that right? Assuming that, every person that have a signed url, will have access to that asset unless we rotate the api secret?
  2. As Cloudinary infrastucture seems to use s3, it's possible to implement an expiration time as s3 signed urls?
  3. If we try the solution of signed_download_url(https://support.cloudinary.com/hc/en-us/articles/202519892-What-s-the-difference-between-the-private-download-url-and-the-signed-download-url-methods), we are not able to apply any transformation?
  4. Is there another way to achieve the best result to our use case?

 

Thanks

1

Comments

2 comments

Sort by Date Votes
  • Avatar
    Danny Valentine
    Hey. Thanks for getting in touch.

    Signed URLs are great for ensuring that people can't create new transformations on-the-fly, such as taking an asset from your website/application and applying resizing and effects. Signed URLs aren't actually designed to prevent access to media assets outside of your site/app though. Anybody with the URL will be able to see that asset regardless of location, useragent, etc, and this is done by design.

    It sounds like what you're after is authenticated access via token or cookie based authentication, however this is only available to customers on one of our advanced plans. If you'd like to proceed with this, please  raise a support ticket and we can set up a conversation with an account manager.

    With regards to your second and third questions about providing time-limited access via signed_download_url, this is actually for downloading assets rather than displaying them, and as such, transformations can't be applied. To give a use-case example: a digital artist might have watermarked images displayed on their site in low quality using a strict transformation. If a user wanted to buy the image, the private download URL could be generate to provide the full-resolution, unwatermarked image.

    I hope this helps. Please let us know if you have any questions.

    Thanks,
    -Danny
    1
    Comment actions Permalink
  • Avatar
    gStudio Team

    Got it, thanks for the answer!

    0
    Comment actions Permalink

Post is closed for comments.