Disable Image Transformation via URL, only allow Worker

Hello Cloudflare community,

I am evaluating the possible use of Cloudflare Image Transformations (formerly Image Resizing).

The documentation suggest that we can use Workers to have control over which resizing parameters are allowed, and also to authorize requests to private external image sources.

However, as far as I understand, even with a Worker configured, the direct URL-based transformation API is still available for users of my website to abuse.

Is that possible to disable the URL API and only expose Image Transformations via a Worker?

Also, do I need to enable “Resize from any origin” flag if I use a Worker?

Thank you in advance for your help.

Best regards,
Andrey

Welcome to the Cloudflare Community!

You need Transformations enabled for the specific zone/website your worker is running on, in order for it to resize things. You do not, however, need the Resize from any origin flag if you are using a Worker, it’ll let you resize from anywhere without it enabled.

You can use a simple blocking Custom Rule to stop people from using the cdn-cgi/image path directly:
Edit Expression → starts_with(http.request.uri.path, "/cdn-cgi/image") (or if you wanted to do it in the visual editor you could just use contains, slightly more loose matching though)

2 Likes

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.