Expiration doesnt do anything on presigned/private URL?

For Workes & Pages, what is the name of the domain?

NA

What is the error number?

NA

What is the error message?

NA

What is the issue or error you’re encountering

Would expect private/presigned URL with expiration to stop working past expiration date, it does not.

What are the steps to reproduce the issue?

I create a presigned/private URL using the following example - Serve private images | Cloudflare Image Optimization docs - the presigned URL works great, I am able to access the photo and any modifications to the URL results in an access denied, as expected.

However, I was expecting that with an expiration set, that past that expiration the URL would die well. My biggest concern is I serve up photos within an app meant only for the specific user, if someone got that presigned URL and shared it, it would be open to the world forever with my biggest concern being it gets abused somehow (ends up on a high volume site, whatever).

Here is an example of the URL with important bits removed - this expired on 8/24 but the image is still available to view: https://imagedelivery.net//public?exp=1724515000300&sig=… is there any point to the expiration value? Is this a bug? do I just not get it (strong likelihood).

As a side note, I’d love a future enhancement where you hit an end point with an image ID and cloudflare gives you back a presigned URL to use… anyway, thoughts?

I’m 100% positive that Worker will generate a signed URL that will expire. The only gotcha I found is that the image is cached for an hour, so that URL may be valid for up to an hour past the expiration.

This one is set to expire in two hours, so with Cache, it may stay for three:

https://imagedelivery.net/KkWzkf9VKineBI8KjhRxQg/477dad69-0a44-4e31-1443-7072e29b0801/newsize?exp=1724623376&sig=9faf70a8efb5cedb8e9c2ca663e6aebd5116e8cc4a9776a486ccef1229d30f3d

UPDATE: Ok, that’s interesting. I may have to take back that extra hour comment. cache-control matches the initial expiration time. The above expiration is 2 hours, and now I see cache-control aligns with that expiration time.

I’ve not done extensive testing to see if edge cache expires exactly at the same time as expiration. Last I checked, it did bleed over a bit.

Thanks - yeah, I see it’s expired now!

Curious as to why it would expire if generated via a worker but not on my server?

Either way, I’ll give the worker route a shot.

So interestingly enough I went back and clicked the link again and it routed me to the pic but here, which I could see: https://cdck-file-uploads-global.s3.dualstack.us-west-2.amazonaws.com/cloudflare/original/3X/c/6/c600d369b7f2bd2565e416c575b2ff2d5aef80b6.jpeg

It looks like Discourse changed the link to point to where Discourse stores images for the Community.

If you copy the link text, and paste it into a browser, you’ll see it’s expired. I’ll fix the link.