Signed URLs

Secure URLs of images by adding security token to URLs

Securing image URLs can add an extra layer of security. It helps to prevent unauthorized access of your image URL.

We use 'MD5' hash function on original URL and secure token to generate the signature. This signature needs to pass with unsigned URL with parameter s to make signed URL. If the URL is altered or missing the s parameter , we will respond with 403 - Forbidden status.

Enable Secure URLs

By default this feature is disabled for any source. You can enable it by following steps.

  1. Go to sources page, edit the source which you would like to enable secure URL.
  2. Click on security tab.
  3. Toggle 'Secure URLs' button and click save.

Your secure token will be appear bellow this option and you can use it to sign URL.


Please read this

Enabling secure URLs for existing source will lead to 403 errors on all URLs unless all requests are signed. Please use this carefully and don't enable it unless you know what you are doing.

Signing URLs

We uses 'MD5' a cryptographic hash function to sign the image URL. Your secure token, image URL and query parameters will be input to this function. The output of this hash function will be appended to the end of your unsigned URL with s parameter.

Here is the sample Nodejs code to sign any URL.

const crypto = require("crypto");

const gumlet_source = '';
const image_path = 'fell.jpeg';
const query_params = 'width=300'
const secure_token = 'sample123xyz';

const unsigned_url = secure_token + '/' + image_path + '?' + query_params;
const hash = crypto.createHash('md5').update(unsigned_url).digest('hex');

const signed_url = 'https://' + gumlet_source + '/' + image_path + '?' + query_params + '&s=' + hash;

You can take reference of this code and implement URL signing in language of your choice. We will soon publish examples of URL signing in different languages.


URLs can be given an expiration date via an expires parameter that takes a UNIX timestamp in the query parameters like ?expires=1584199888

Any request after this timestamp, will 403 - expired. We set remaining time of expiration as max-age in cache-control header for valid requests.

Did this page help you?