URL sealing

To prevent your customer from removing certain parameters, you can seal them. For example, if you don't want your users to get the image without a watermark or a certain filter, you can use the URL sealing feature. This system is similar to the URL signature feature but it is only sealing the ci_eqs parameters and allows you to add more filters and operations to the URL without re-generating the signature. This method is compatible with the Responsive images JS plugin.

Please be aware that when URL sealing is activated for your token, all Cloudimage URLs that are not signed properly will cease to work.

The signature is calculated as follows:

Signature = sha1('URI' + 'ci_eqs' + 'Salt') where URI = original_image_url and ci_eqs = value of the content of ci_eqs query string

The syntax to process an image is:

//token.cloudimg.io/original_image_url?ci_eqs=Sealed_parameters&ci_seal=Signature

The Salt string is a shared secret between you and Cloudimage and only you will be able to calculate the signature of your images.

Activation

Before activating URL sealing, please make sure that all Cloudimage URLs contain the proper signatures (see the Usage section below).

To activate this feature, you need to navigate to Image Settings / Security and activate the URL security toggle.

In the Add Security modal, you need to choose URL Sealing and place a string you will be using as salt when generating the sealed parameter signature.

Usage

Step 1. Encode the query string

To watermark an image at the URL sample.li/birds.jpg with query string wat=1&wat_url=http://sample.li/louis-vuitton-logo-white.png&wat_scale=45&wat_gravity=southwest&wat_pad=15, you need to first base64-encode the query string:

base64('wat=1&wat_url=http://sample.li/louis-vuitton-logo-white.png&wat_scale=45&wat_gravity=southwest&wat_pad=15')

becomes

d2F0PTEmd2F0X3VybD1odHRwOi8vc2FtcGxlLmxpL2xvdWlzLXZ1aXR0b24tbG9nby13aGl0ZS5wbmcmd2F0X3NjYWxlPTQ1JndhdF9ncmF2aXR5PXNvdXRod2VzdCZ3YXRfcGFkPTE1

Step 2. Create the signature

The signature has to be created by sha1-hashing the string 'URI' + 'ci_eqs' + 'Salt':

sha1('sample.li/birds.jpg' + 'd2F0PTEmd2F0X3VybD1odHRwOi8vc2FtcGxlLmxpL2xvdWlzLXZ1aXR0b24tbG9nby13aGl0ZS5wbmcmd2F0X3NjYWxlPTQ1JndhdF9ncmF2aXR5PXNvdXRod2VzdCZ3YXRfcGFkPTE1' + 'salt')

The final signature is:

a355cce069fbfb18a4c39113067bf626ead2ebab

Step 3. Construct the URL

//token.cloudimg.io/original_image_url?ci_eqs=Sealed_parameters&ci_seal=Signature

The final URL becomes:

https://demoseal.cloudimg.io/sample.li/birds.jpg?ci_eqs=d2F0PTEmd2F0X3VybD1odHRwOi8vc2FtcGxlLmxpL2xvdWlzLXZ1aXR0b24tbG9nby13aGl0ZS5wbmcmd2F0X3NjYWxlPTQ1JndhdF9ncmF2aXR5PXNvdXRod2VzdCZ3YXRfcGFkPTE1&ci_seal=a355cce069fbfb18a4

Step 4. Use and extend the request

You can use the URL as is or append more parameters to the query string:

https://demoseal.cloudimg.io/sample.li/birds.jpg?ci_eqs=d2F0PTEmd2F0X3VybD1odHRwOi8vc2FtcGxlLmxpL2xvdWlzLXZ1aXR0b24tbG9nby13aGl0ZS5wbmcmd2F0X3NjYWxlPTQ1JndhdF9ncmF2aXR5PXNvdXRod2VzdCZ3YXRfcGFkPTE1&ci_seal=a355cce069fbfb18a4&w=700&h=700

Any parameters that are included in the sealed portion cannot be overwritten in the URL. For example, if a watermark is activated with wat=1 and sealed, appending wat=0 in the URL will not remove the watermark:

https://demoseal.cloudimg.io/sample.li/birds.jpg?ci_eqs=d2F0PTEmd2F0X3VybD1odHRwOi8vc2FtcGxlLmxpL2xvdWlzLXZ1aXR0b24tbG9nby13aGl0ZS5wbmcmd2F0X3NjYWxlPTQ1JndhdF9ncmF2aXR5PXNvdXRod2VzdCZ3YXRfcGFkPTE1&ci_seal=a355cce069fbfb18a4&wat=0