Documentation

Securing Images

Securing URLs adds a layer of security to your images, by blocking anyone who doesn’t have access to your account from altering the URLs. This helps prevent your Sources from being used maliciously—for instance, to produce unwanted renders or as a CDN for a separate site.

imgix recommends securing all URLs that are used to serve your images. Although we don’t require that Amazon S3, Google Cloud Storage, and Web Folder Sources be secured, it is a requirement for Web Proxy Sources.

To secure an image URL, we use a cryptographic hash function called “MD5” to combine the original URL with a unique token that we generate for each secure Source. The result of this hash function is then appended to the end of your unsigned URL with the s parameter, creating a signed URL.

If the path or parameters of your URL are altered after the s parameter has been set, the altered URL will return a “403 Forbidden” code instead of an image. This prevents unauthorized parties from changing the parameters on your URLs, but it also means that if you need to change the parameters yourself, you’ll need to re-sign the new URL.

Enabling Secure URLs

Before an image URL can be signed, the Secure URL option must be enabled in your Source. Web Proxy Sources have this turned on automatically, and you can turn it on for your Amazon S3 or Web Folder Sources by following these steps:

  1. Go to the Sources page and click View for the Source you’d like to update.
  2. In the Configuration section, click Edit.
  3. In the Security subsection, check Secure URLs.
    Security checkbox

  4. Click Review and Deploy at the bottom of the page.

  5. Review your changes and click Deploy this Config to complete the changes to your Source.

Now that the Secure URL option is enabled in your Source, image URLs served from that Source can be signed. The Tools tab contains the Sign Image tool that will append the signature to the end of the query string. See the next section for instructions on using this tool.

Securing Images on a Per-Image Basis

Once Secure URLs are enabled, you can sign individual images by clicking the Sign URLs button on your Source’s detail page.

Security enabled in dashboard

Single Images

Entering multiple URLs to sign

  1. Choose the subdomain for which you want to sign images from the dropdown menu.
  2. Set the path for your image if it’s in a folder within your Source.
  3. Assign any parameters with which you want to transform the image.
  4. Set the expiration date for the signature.
  5. Click Sign Image.
  6. The form will be replaced with your signed URL, plus a button to copy the signed URL directly to your clipboard. Use the new signed URL to serve the image.

Multiple Images

Entering multiple URLs to sign

  1. Click the “Multiple” side of the button on the top right of the page.
  2. Enter the full URLs for all of the images you want to sign, including any parameters. You can enter up to 100 URLs.

Using Tools

You can also sign image URLs in the Sign URLs section of the Tools view.

"Sign Image URLs" button for a secure source

  1. Enter the fully-qualified URL of your image, including any parameters you want to transform the image with. See the Image API Documentation for instructions.
  2. Set the expiration date for the signature.
  3. Click Sign Image.
  4. The form will be replaced with your signed URL, plus a button to copy the signed URL directly to your clipboard. Use the new signed URL to serve the image.

To sign another URL, just click Sign Another Image.

Expiring URLs

URLs can be given an expiration date via an expires parameter that takes a UNIX timestamp in the query string. For example:

?expires=1477789261

This UNIX timestamp translates to 10/30/2016 1:01am (UTC time). Requests made to this URL after that time will output a 404 status code. When the request is made before the expiration date, the Cache-Control header of the image is replaced with the amount of time left until the expiration date, in seconds. With the same expires value, when the current time is 10/30/2016 1:00am (UTC time), the header will output Cache-Control: max-age=60.

Because the timestamp can be changed freely in the query string, we recommend signing images that use the expires header to prohibit this behavior.

Securing Images in Your Application

For securing images within applications or websites at scale, we strongly recommend using one of the imgix client libraries. This ensures that you will always be up to date with the latest issues in any given language. Although the imgix URL API is simple, there are a few corner cases that are not always apparent.

If a client library is not available in your language, please see the Securing URLs section of the imgix library blueprint document.

Tips for Additional Security

Securing your image URLs with the methods above gives you one level of security—other people won’t be able to change the parameters you specify. However, doing so won’t prevent hotlinking with the parameters intact. To fend off this type of image theft, it’s best to block such requests at the server level, by only allowing image links from your imgix Source and your website.

Depending on your hosting setup, you may be able to do this through cPanel or another server administration tool (such as editing the policy on your S3 bucket). Alternately, if you’re comfortable changing your .htaccess file directly, here’s a basic recipe you can tweak.

 RewriteEngine On
 RewriteCond %{HTTP_REFERER} !^$
 RewriteCond %{HTTP_REFERER} !^https://my-source.imgix.net [NC]
 RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?my-domain.com [NC]
 RewriteRule \.(jpg|jpeg|png|gif|webp)$ - [F]
  • Replace my_source.imgix.net with the name of your imgix Source domain
  • Replace my-domain.com with the domain name of your website (you can add additional lines with this pattern if you have multiple domains requesting images)
  • You can specify some additional settings and experiment with .htaccess using this tool

FAQs

Can I create a secured custom domain using HTTPS/SSL?

Yes, you can use your own domain name for an imgix URL.

Please contact support@imgix.com for implementation details and current pricing information. There are non-recurring fees for setup and changes to the SSL certificate, as well as an ongoing monthly cost.

All standard hostnames powered by imgix (e.g. your-name.imgix.net) automatically support secured transport (SSL / TLS) for no additional charge.

How does imgix secure my information?

For account passwords, we rely on industry-standard, high-iteration, adaptive hashing functions to prevent passwords from being readable or reversed.

Billing information such as credit card numbers never touches our servers. Instead, we rely on Stripe to handle our billing, which captures and encrypts billing information using industry-standard best practices.

When you configure a source that has sensitive credentials, such as Amazon S3 keys, we immediately encrypt all private information using hardened, industry-standard encryption algorithms. The few internal services that require access to this information have the necessary access to decrypt the information when required. These services exist within our internal network and are not publicly addressable. As an added layer of security, we recommend to all of our users that they provide us with read-only credentials when working with an image store like Amazon S3.