Best practices for BunnyCDN token authentication for images?
Answered
Indian mackerel posted this in #help-forum
Indian mackerelOP
Hi, I don't know if this is the right place to ask, but couldn't find anything anywhere. With BunnyCDN token authentication, you need to include the token in the url as a query parameter. I'd like to know, for images that are part of a public page, should I just include the full url in the src or do I need to somehow serve it from the backend to prevent users copying the token from the inspector? Sry for the noob question, I'm not very experienced in web security. Any help would be much appreciated!
Answered by B33fb0n3
If the images are public, then the token can also be public. Of course NOT the security token! Only the generated token for the specific image
6 Replies
@Indian mackerel Hi, I don't know if this is the right place to ask, but couldn't find anything anywhere. With BunnyCDN token authentication, you need to include the token in the url as a query parameter. I'd like to know, for images that are part of a public page, should I just include the full url in the src or do I need to somehow serve it from the backend to prevent users copying the token from the inspector? Sry for the noob question, I'm not very experienced in web security. Any help would be much appreciated!
If the images are public, then the token can also be public. Of course NOT the security token! Only the generated token for the specific image
Answer
You can see, that discord for example also share details to access the specific image for a specific amount of time:
Indian mackerelOP
hey thanks for the reply! makes sense. since the image is public anyway, it needs to be accessible :). I was thinking that, but its good to have confirmation. So if i understand correctly, the token is then basically to prevent people from downloading private files in my storage, correct?
@Indian mackerel hey thanks for the reply! makes sense. since the image is public anyway, it needs to be accessible :). I was thinking that, but its good to have confirmation. So if i understand correctly, the token is then basically to prevent people from downloading private files in my storage, correct?
yea, they can only access specific images with a generated token. And to generate the token, they need the security token from bunny. But only the server know this token, so only the server can create tokens for specific images. Exactly what you want ^^
Indian mackerelOP
ok, thank you so much! all clear now
@Indian mackerel ok, thank you so much! all clear now
happy to help. If you need further help, feel free to ping me in a new thread