Skip to main content

Signed uploads - using same signature twice

Sujay Jayaram

Hi All,

I want to allow users on my website to upload images using Cloudinary and am looking at security best practice - the use case is a malicious user who is uploading images over and over in order to try and create problems.

I am guessing I should use signed uploads so that the signature is only valid for one hour....if an image is uploaded using that signature, is this a one time thing? i.e. if the malicious user tries to upload another image using the same signature, will this fail?

Also, if image upload is done in the browser, is it possible for my servers to be notified via Cloudinary servers when an image is uploaded?

(If there is a blueprint for best practice architecture for my use case, please do let me know)

Thanks and best wishes

Sujay

 

0

Comments

3 comments

Date Votes
  • Paweł Philipczyk

    Hi Sujay,

    Securing your website from unexpected or malicious image uploads can be done in different ways depending on the site's features.

    As you mention using signed uploads is a good first step. You will also likely have to expose an endpoint within your servers and then send files to Cloudinary through it.
    That gives you complete control over when the upload to Cloudinary happens and doesn't expose the asset metadata to the client side either.

    Some ideas for security rules might be:

    • storing the files under the same public_id so that any further uploads keep overwriting the same user image,
    • keeping track of the number of uploaded images per user and limiting that,
    • keeping track of the last upload time to throttle user uploads.

    Without any kind of such rules signed uploads alone will not solve the issue automatically.

    Regarding the possibility of notifications being sent when image upload is done, you can look at Upload API notifications.

    Hope this helps, please let me know if you have any further questions.

    0
  • Sujay Jayaram

    Hi Pawel,

    Hope you are having a great day.

    Thanks for the response which is very helpful - actually the idea regarding the public id is a really good one - thank you, I will think this through with my team.

    Very best wishes

    Sujay

    0
  • Paweł Philipczyk

    Hi Sujay,

    I'm glad you found that helpful. Please let me know if you have any more questions or do share any good solutions you come up with here.

    Cheers!
    Paweł

    0

Post is closed for comments.

Didn't find what you were looking for?

New post