Serving Cloudflare R2 files with hmac verification-powered expiration?


We currently serve a lot of large files via R2, but are not benefitting from free egress because we want to enforce url expiration after a few hours and currently achieve this using a WAF rule with the is_timed_hmac_valid_v0() function.

Is it possible to still enforce url expiration using R2 alone that would eliminate the need for piping terabytes of traffic through CF and racking up CDN costs?

I thought of using workers, but ran into a dead end. If we verify in the worker and then redirect, the user can capture the redirected url and access it indefinitely. If we serve directly using the worker, then we still rack up CDN costs.

Thank you.

Ran into Presigned URLs · Cloudflare R2 docs.

The first thing that jumps out is this:


Presigned URLs can only be used with the <accountid> S3 API domain and cannot be used with custom domains. Instead, you can use the general purpose HMAC validation feature of the WAF, which requires a Pro plan or above.

We’re actually using a custom domain. I guess we could consider switching to the R2 URL but I recently saw a post on the Cloudflare forums about the domain being blocked by some Indian ISPs. `` is blocked by major indian ISPs

It’s a real bummer it doesn’t work with custom domains.

Any chance custom domain support is on the roadmap for presigned urls?

1 Like