Signed uploads - using same signature twice
Hi All,
I want to allow users on my website to upload images using Cloudinary and am looking at security best practice - the use case is a malicious user who is uploading images over and over in order to try and create problems.
I am guessing I should use signed uploads so that the signature is only valid for one hour....if an image is uploaded using that signature, is this a one time thing? i.e. if the malicious user tries to upload another image using the same signature, will this fail?
Also, if image upload is done in the browser, is it possible for my servers to be notified via Cloudinary servers when an image is uploaded?
(If there is a blueprint for best practice architecture for my use case, please do let me know)
Thanks and best wishes
Sujay
-
Hi Sujay,
Securing your website from unexpected or malicious image uploads can be done in different ways depending on the site's features.
As you mention using signed uploads is a good first step. You will also likely have to expose an endpoint within your servers and then send files to Cloudinary through it.
That gives you complete control over when the upload to Cloudinary happens and doesn't expose the asset metadata to the client side either.Some ideas for security rules might be:
- storing the files under the same public_id so that any further uploads keep overwriting the same user image,
- keeping track of the number of uploaded images per user and limiting that,
- keeping track of the last upload time to throttle user uploads.
Without any kind of such rules signed uploads alone will not solve the issue automatically.
Regarding the possibility of notifications being sent when image upload is done, you can look at Upload API notifications.
Hope this helps, please let me know if you have any further questions.
Post is closed for comments.
Comments
3 comments