requireSignedURLs not working?

According to https://developers.cloudflare.com/images/upload-images/making-an-image-private, I created a one-time upload URL and passed a JSON blob with requireSignedURLs property set to true.

However, after the client uploaded the image through the created URL, the image can still be accessed without signature. Is there something wrong with the document?

2 Likes

same here, can someone help ??

I tried to follow the document to make the upload image url private via the link: https://developers.cloudflare.com/images/cloudflare-images/upload-images/make-an-image-private
I passed all arguments as the doc required but it doesn’t work, I still can view my public image.
I need to hide the public image for security so hope this API works otherwise I have to find the other way to make it private.
Thank you, btw Cloudflare image is really helpful for resizing.

1 Like

+1
pls someone explain how to make images private

bump!
please, someone escalate this
c’mon guys

I’m able to replicate this with the two commands below. @zaid might be the person to tag. The API docs do not show requireSignedURLs to be an optional parameter.

% curl --request POST \
  --url https://api.cloudflare.com/client/v4/accounts/:account_id/images/v1/direct_upload \
  --header 'Content-Type: application/json' \
  --header 'Authorization: Bearer :token' \
  --data '{
      "requireSignedURLs":"true"
   }'
{
  "result": {
    "id": "180797b4-e797-4d54-af81-10d9a8443382",
    "uploadURL": "https://upload.imagedelivery.net/180797b4-e797-4d54-af81-10d9a8443382"
  },
  "result_info": null,
  "success": true,
  "errors": [],
  "messages": []
}                                                                                                                                                              

% curl -X POST -F [email protected] https://upload.imagedelivery.net/180797b4-e797-4d54-af81-10d9a8443382
{
  "result": {
    "id": "792b432d-bd22-4361-1b7e-e00860c6e400",
    "filename": "cf-logo-h-rgb.jpg",
    "uploaded": "2021-10-29T23:15:30.866Z",
    "requireSignedURLs": false,
    "variants": [
      "https://imagedelivery.net/Zx870q0FX49MY9el1o3_VQ/792b432d-bd22-4361-1b7e-e00860c6e400/public",
      "https://imagedelivery.net/Zx870q0FX49MY9el1o3_VQ/792b432d-bd22-4361-1b7e-e00860c6e400/Thumbnail"
    ]
  },
  "result_info": null,
  "success": true,
  "errors": [],
  "messages": []
}%

Passing requireSignedURLs as a parameter seems to work, but that is not the expected behaviour. Requiring the unauthenticated direct upload to mark the image as private is easily circumvented.

% curl -X POST -F [email protected] --form 'requireSignedURLs=true' https://upload.imagedelivery.net/8f5dbd07-d0e5-49fc-9475-99bb9ff46eb3
{
  "result": {
    "id": "550b79a2-6955-472c-2a17-7df8c63ded01",
    "filename": "cf-logo-h-rgb.jpg",
    "uploaded": "2021-10-29T23:32:24.035Z",
    "requireSignedURLs": true,
    "variants": [
      "https://imagedelivery.net/Zx870q0FX49MY9el1o3_VQ/550b79a2-6955-472c-2a17-7df8c63ded01/public",
      "https://imagedelivery.net/Zx870q0FX49MY9el1o3_VQ/550b79a2-6955-472c-2a17-7df8c63ded01/Thumbnail"
    ]
  },
  "result_info": null,
  "success": true,
  "errors": [],
  "messages": []
}

You can also use the Update Image API to require images to be signed.

1 Like

This topic was automatically closed after 15 days. New replies are no longer allowed.