How to secure image URLs?


Is there a way to have a secure URL for the assets?

Context: We don’t want to expose assets thought URLs. We want to keep our assets private until they are published.

I see that DatoCMS is using ImgIx for the assets management based on this documentation

Also, ImgIx has a documentation regarding how to secure the assets URLs

Securing Assets | imgix Documentation

I’m wondering how it’s possible thought DatoCMS to have secure URLs?

If we’re using the API explorer, we can return the image src.

Right now, even if I’m using the sandbox environment, it’s possible for anyone to access my image URL.


1 Like


we do not support that IMGIX funcionality at the moment, I’m sorry.

Anyway, it only prevents others from changing IMGIX parameters defined in the URL, it won’t block access to the source asset.

Okay thanks

Is there a plan for this feature or not yet?

No plan, I’m sorry.

Assets you upload to DatoCMS are publicly available, so even if we introduce the IMGIX signing mechanism, your upload will still be public

Currently we are experiencing a large spike on our assets. We are already putting an additional server in front of it, but is there a way to put some additional security on the source images?

@glenn.bostoen unfortunately we still don’t support authentication or rendering Asset URLs private

The best way to go about this would be to remove the assets from the front-end, or, if you think the direct URL is being used somewhere else, you can re-upload the asset to re-generate its URL.

Is there an easy way to rewrite all urls to a custom domain?

When it comes to changing the URL there are a couple of options to do so:

  • You can set up a reverse proxy service with Cloudflare workers to host them in the proxys domain

  • You can set up a custom S3 bucket for the assets on your project Custom AWS S3 storage - DatoCMS

However, as mentioned on that documentation page, you still have to manage and pay for the S3 bucket, a one-time activation fee of 300 euros, and an Imgix instance, so if a custom URL is really the only goal, then another option would be to create a simple reverse proxy for the assets, a possible implementation would be with Cloudflare workers: Guide: How to Reverse Proxy a Webflow project with Cloudflare Workers · Guide: How to Reverse Proxy with Cloudflare Workers.
If you do want to also have control over your imgix instance, and the hosting of the images on the S3, then the custom bucket should be the way to go.

ok, and regarding the responses from the GraphQL CDA, we still need to manually rewrite the responses to ensure no imgix urls are leaked?

In case of the reverse proxy, yes, we will still return the usual datocms-assets domain URLs, that would have to be mapped onto your proxy URL before they hit the front end.