Serverless Image Handler
Serverless Image Handler

Appendix E: Safe URL

This solution allows customers to deploy secured URLs using a custom security key. The security key needs to be provided to the Thumbor configuration using AWS Lambda environment variables. For more information about using Lambda variables, see Appendix J.

When end-users access the page and load the image, Thumbor generates an authentication code for the image URLs and filters, using the SECURITY_KEY provided in the Thumbor config file. If the hash in the request URL and the authentication codes match, Thumbor processes the image. For more information, see Thumbor’s safe URL.

Use the following procedure to implement and verify Safe-URL implementation:

  1. Log in to the AWS Lambda console, select the <stack-name>-ImageHandlerFunction-<id> > Lambda function.

  2. Remove the Lambda environment variable: Key=ALLOW_UNSAFE_URL

    Note

    You can only use one environment variable at a time. Use ALLOW_UNSAFE_URL=true for allowing unsafe URLs, or use SECURITY_KEY='mysecuritykey' when safe URLs are needed.

  3. Add the Lambda environment variable: Key=SECURITY_KEY, Value=mysecuritykey

  4. Select Save Changes.

  5. In the Outputs section, select the Solution UI URL.

  6. Change the height/width to make sure you are not getting cached version of image.

  7. Select Safe URL and set the value to calculated hash for mysecuritykey.

    ``` http_key='mysecuritykey' # security key provided to lambda env variable http_path='200x200/smart/sub-folder/myimage.jpg' # sample options for myimage hashed = hmac.new(str(http_key),str(http_path),sha1) encoded = base64.b64encode(hashed.digest()) signed_path = encoded.replace('/','_').replace('+','-')

The above procedure implements the following image URL and filters with options:

210x210/smart/filters:watermark(https://d2n9bu90z1w8su.cloudfront.net/serverless-image-handler-ui/img/aws-logo-watermark.png,75,0,0)/serverless-image-handler-ui/img/multiface.jpg

hash: Wwjr74-R7GrVN0XPT-Aq_DGFOh8=

Following this procedure successfully implements a secured URL. You may rotate security keys as per your requirements and as often as needed by updating the Lambda environment variable values. To verify the implementation, change the Security Key value in the Demo UI console, navigate to the Lambda logs and check for the following error: