R2 Cloudflare - Get object, ID account visible in the link (security)


I have some questions about R2 Cloudflare

  1. I have images, videos and others in the R2 bucket and when I retrieve them I have a link of this type:


I would like to know if I can directly display an image / video and others directly via this link on my site or it poses a real security problem that we can see my cloudfare ID and the name of the bucket.

  1. I tried to create a blob link with the Cloudflare link received but it’s impossible, I have this error:

“Access to XMLHttpRequest at ‘ID_CLOUDFARE.r2.cloudflarestorage.com/BUCKET_NAME/…’ from origin ‘mywebsite.net’ has been blocked by CORS policy: No ‘Access-Control-Allow-Origin’ header is present on the requested resource.”

is it impossible to create a blob with a cloudfare r2 link ?

Thank you


For now, the only way would be a worker. See this which details a simple worker to get started, but you’d need to extend it to have proper access control and CORS headers: Get started guide · Cloudflare R2 docs

Otherwise, please read:

1 Like

FYI public buckets that are available via a CNAME on your domain are coming very, very soon - and will solve both points.


Thank you for the answer.

But is making my CloudFare ID public really a big security issue?

I wouldn’t go posting it everywhere for the sake of it but it isn’t really sensitive, no.

No-one can do anything with it unless they had an API token/key of yours.


This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.