Secure your images so that you maintain control of how they are displayed on the Internet.

Securing URLs adds a layer of security to your images, by blocking anyone who doesn't have access to your account from altering the URLs. This helps prevent your Sources from being used maliciously—for instance, to produce unwanted renders or as a CDN for a separate site.

imgix recommends securing all URLs that are used to serve your images. Although we don’t require that Amazon S3, Google Cloud Storage, and Web Folder Sources be secured, it is a requirement for Web Proxy Sources.

To secure an image URL, we use a cryptographic hash function called “MD5” to combine the original URL with a unique token that we generate for each secure Source. The result of this hash function is then appended to the end of your unsigned URL with the s parameter, creating a signed URL.

If the path or parameters of your URL are altered after the s parameter has been set, the altered URL will return a “403 Forbidden” code instead of an image. This prevents unauthorized parties from changing the parameters on your URLs, but it also means that if you need to change the parameters yourself, you’ll need to re-sign the new URL.

Enabling Secure URLs

Before an image URL can be signed, the Secure URL option must be enabled in your Source. Web Proxy Sources have this turned on automatically, and you can turn it on for your Amazon S3 or Web Folder Sources by following these steps:

  1. Go to the Sources page and click View for the Source you’d like to update.
  2. In the Configuration section, click Edit.
  3. In the Security subsection, check Secure URLs.
    Security checkbox
  4. Click Review and Deploy at the bottom of the page.
  5. Review your changes and click Deploy this Config to complete the changes to your Source.

Now that the Secure URL option is enabled in your Source, image URLs served from that Source can be signed. The Tools tab contains the Sign Image tool that will append the signature to the end of the query string. See the next section for instructions on using this tool.

Securing Images on a Per-Image Basis

Once Secure URLs are enabled, you can sign individual images by clicking the Sign URLs button on your Source’s detail page.

Security enabled in dashboard

Single Images

Entering multiple URLs to sign

  1. Choose the subdomain for which you want to sign images from the dropdown menu.
  2. Set the path for your image if it’s in a folder within your Source.
  3. Assign any parameters with which you want to transform the image.
  4. Set the expiration date for the signature.
  5. Click Sign Image.
  6. The form will be replaced with your signed URL, plus a button to copy the signed URL directly to your clipboard. Use the new signed URL to serve the image.

Multiple Images

Entering multiple URLs to sign

  1. Click the “Multiple” side of the button on the top right of the page.
  2. Enter the full URLs for all of the images you want to sign, including any parameters. You can enter up to 100 URLs.

Using Tools

You can also sign image URLs in the Sign URLs section of the Tools view.

"Sign Image URLs" button for a secure source

  1. Enter the fully-qualified URL of your image, including any parameters you want to transform the image with. See the Image API Documentation for instructions.
  2. Set the expiration date for the signature.
  3. Click Sign Image.
  4. The form will be replaced with your signed URL, plus a button to copy the signed URL directly to your clipboard. Use the new signed URL to serve the image.

To sign another URL, just click Sign Another Image.

Expiring URLs

URLs can be given an expiration date via an expires parameter that takes a UNIX timestamp in the query string. For example:

?expires=1477789261

This UNIX timestamp translates to 10/30/2016 1:01am (UTC time). Requests made to this URL after that time will output a 404 status code. When the request is made before the expiration date, the Cache-Control header of the image is replaced with the amount of time left until the expiration date, in seconds. With the same expires value, when the current time is 10/30/2016 1:00am (UTC time), the header will output Cache-Control: max-age=60.

Because the timestamp can be changed freely in the query string, we recommend signing images that use the expires header to prohibit this behavior.

Securing Images in Your Application

For securing images within applications or websites at scale, we strongly recommend using one of the imgix client libraries. This ensures that you will always be up to date with the latest issues in any given language. Although the imgix URL API is simple, there are a few corner cases that are not always apparent.

If a client library is not available in your language, please see the Securing URLs section of the imgix library blueprint document.