CODEWITHSUNDEEP
pythoncloudinary
alexfeigelman
alexfeigelman

Reputation: 1

Why Does Changing the Signature Still Allow Access to My Private HLS on Cloudinary (Strict Transformations enabled)?

I’m new here and need some help with securing video links on Cloudinary. I’m using Python to upload a video as private and also setting up strict transformations, but changing the signature in the URL still allows access.

Here’s what I’m doing:

  1. Enable Strict Transformations in the Cloudinary Settings → Security tab.

  2. Create and update a named transformation and allow it for strict transformations:

    cloudinary.api.create_transformation(
    name="my_named_t_1080",
    definition={
        "width": 1920,
        "height": 1080,
        "crop": "limit",
        "bit_rate": "3500k"
    }
)

cloudinary.api.update_transformation(
    transformation="my_named_t_1080",
    allowed_for_strict=True
)

  3. Create a streaming profile (test8) referencing that transformation (and allow it under strict transformations).

  4. Upload the video (private) with an eager transformation:

    import cloudinary
import cloudinary.uploader
import cloudinary.api

response = cloudinary.uploader.upload(
    file_path,
    public_id=public_id,
    folder=folder,
    resource_type="video",
    sign_url=True,
    type='private',  # ensures the video is not publicly accessible
    eager=[
        {
            "streaming_profile": "test8",
            "format": "m3u8",
            "type": "private",
            "sign_url": True
        }
    ],
    invalidate=True,
    secure=True,
    eager_async=False
)

Now, the HLS URL I get is something like:
https://res.cloudinary.com/<cloud_name>/video/private/s--aaaabbbb--/sp_test8/series/1/0_6.m3u8

The Problem: When I manually alter the signature part (e.g., s--aaaabbbb-- to some random text), the URL still works—I expected a 403 or some error saying the signature is invalid.

Questions:

Upvotes: 0

Views: 22

Answers (0)

Related Questions