Serverless Image Handler
Serverless Image Handler

Appendix D: Safe URL

This solution allows customers to deploy secured URLs using a custom security key. The security key needs to be provided to the Thumbor configuration using AWS Lambda environment variables. For more information about using Lambda variables, see Appendix H.

The solution generates an authentication code for the options and image URL, using the SECURITY_KEY. When end-users access the page and thus load the image, Thumbor generates an authentication code for the same options and image URL, using the SECURITY_KEY provided in the request URL. If both authentication codes match, Thumbor processes it. For more information, see Thumbor’s safe URL.

Use the following procedure to implement and verify Safe-URL implementation:

  1. Log in to the AWS Lambda console, select the <stack-name>-ImageHandlerFunction-xxxx > Lambda function.

  2. Add the Lambda environment variable: Key=ALLOW_UNSAFE_URL, Value=False

  3. Add the Lambda environment variable: Key=SECURITY_KEY, Value=mysecuritykey

  4. Select Save Changes.

  5. In the Outputs section, select the Solution UI URL.

  6. Select Safe URL and set the value to mysecuritykey.

  7. 7. Change the height/width to make sure you are not getting cached version of image.


Following this procedure successfully implements a secured URL. You may rotate security keys as per your requirements and as often as needed by updating the Lambda environment variable values. To verify the implementation, change the Security Key value in the Demo UI console, navigate to the Lambda logs and check for the following error: