Signed URLs

Secure URLs of images by adding security token to URLs

Securing image URLs can add an extra layer of security. It helps to prevent unauthorized access of your image URL.

We use a 'MD5' hash function on original URL and a secure token to generate the signature. This signature needs to pass with an unsigned URL with the parameter s to make a signed URL. If the URL is altered or missing the s parameter , we will respond with 403 - Forbidden status.

Enable Secure URLs

By default this feature is disabled for any source. You can enable it by following steps.

  1. Go to image sources page, edit the source which you would like to enable secure URL.
  2. Click on security tab.
  3. Toggle 'Secure URLs' button and click save.

Your secure token will appear below this option and you will be able to use it to sign a URL.


Please read this

Enabling secure URLs for existing source will lead to 403 errors on all URLs unless all requests are signed. Please enable at your own discretion and with appropriate knowledge.


Signing URLs

We use 'MD5' a cryptographic hash function to sign the image URL. Your secure token, image URL and query parameters will be input to this function. The output of this hash function will be appended to the end of your unsigned URL with s parameter.

Here is the sample Nodejs code to sign any URL.

const crypto = require("crypto");

const gumlet_source = '';
const image_path = 'fell.jpeg';
const query_params = 'width=300'
const secure_token = 'sample123xyz';

const unsigned_url = secure_token + '/' + image_path + '?' + query_params;
const hash = crypto.createHash('md5').update(unsigned_url).digest('hex');

const signed_url = 'https://' + gumlet_source + '/' + image_path + '?' + query_params + '&s=' + hash;

You can take reference of this code and implement URL signing in language of your choice. We will soon publish examples of URL signing in different languages.


URLs can be given an expiration date via an expires parameter that takes a UNIX timestamp in the query parameters like ?expires=1584199888

Any request after this timestamp, will 403 - expired. We set remaining time of expiration as max-age in cache-control header for valid requests.