Securely serving images directly to web app

Hi all! I have some pretty large images I would like to annotate. Including the images as base64 in the tasks means that fetching tasks is quite laggy. Hence, I would like to remove the image "payloads" from the tasks so that only one image is loaded at a time, when one task is displayed. I know that images can be included as URLs.

Now, the thing I am unsure about is how I can serve these images without unduly exposing them to unauthorised parties. Are there any best practices for this? I don't really want to put the API keys/secrets for accessing the data into the URLs I serve for the tasks. Sadly, I don't understand enough about how the browser loads image links to understand what the best solution would be.

Do you know the IP / URL of the served Prodigy app? If so, you could maybe put your images behind a simple web server and configure it so that it only accepts requests from the known hosts. Kinda like how image hosting providers back in the day did it to prevent hotlinking of images :sweat_smile: I think you might even be able to configure this on an S3 bucket. I haven't done this myself but I just came across this link: Limit Amazon S3 bucket access to certain VPCs or IP addresses This way, the images would only be accessible if they're requested from a Prodigy app host, but not if you just open it in your browser or use the URL on any other site.

That sounds like it could work! I'm actually reverse-proxying the Prodigy server, so all requests go through my rev proxy. I might be able to require auth on that rev proxy view and forward the image access adequately.

We are using Azure, I will check if it can be configured the right way.

Thanks a bunch :slight_smile:

1 Like