Cloudinary Blog

User-Generated Content, Part 4: Security

Ensuring the Security of Assets Uploaded as User-Generated Content

Part 1 of this series highlights the basics of user-generated content (UGC) and its benefits for e-commerce. Part 2 describes how to leverage UGC images in e-commerce and efficiently upload, transform, and deliver them with Cloudinary. Part 3 focuses on videos in UGC and the many related management capabilities offered by Cloudinary.

Part 4 here suggests ways of rendering UGC media securely and free of harmful or inappropriate material, in particular by leveraging two configurations and an add-on in Cloudinary.

Site owners rightly assume that all UGC uploaded to their system originates from their users. Inevitably, however, with the ability for anyone to upload content to a site, others might want to see how much they can get away with, like large amounts of assets that overwhelm your system, files with embedded code, or, even worse, assets that contain malicious content. Regardless, you must take precautions against those misdeeds.

You can set up your system in many ways to handle your unique UGC workflow. In this case, a wise practice is to never serve on your site or app the original—that is, unprocessed—assets uploaded as UGC to avoid unknowingly delivering malicious content, which could have serious ramifications, typically leading to unwanted, adverse publicity.

What should you serve instead? A dynamic media platform like Cloudinary can help because it automatically processes all your non-original images and videos (aka transformed assets), ensuring that they are optimized and malware free. To apply this set of actions, all you have to do is simply apply any type of transformation through Cloudinary. Whether it be setting a crop mode, width, format, etc. all will lead to the processing of your asset.

Avoid serving original assets and set up more stringent security settings with Cloudinary, by doing the following:

  1. Set the asset’s type parameter to private in the upload to make the original asset private, i.e., invisible, to the public, allowing them to view the asset’s derivatives only. To view the original asset, one must have a signature-generated URL. (If you’ve already uploaded the asset, you can update it; see the related documentation for the procedure)

    Additionally, you can gain even more granular access to private asset-security measures with the following step:

  2. Enable the Strict Transformations setting to specify which derivatives (e.g., thumbnails) are viewable or allowed to be generated by anyone without the signature-generated URL.

Bear in mind it’s best to ensure security of your UGC not only for your business, but also for others. Inevitably, users might accidentally upload assets that expose private information about themselves or that include visuals of people who would balk at a public posting of their pictures. To alleviate those situations, here are some workflows to keep in mind:

  • Reject assets that are irrelevant to your e-business. For example, through automation, Cloudinary can detect if a face is present in the UGC images uploaded of people supposedly wearing the clothes that you sell, enabling you to set up the logic to automatically delete the rogue images. Such a workflow not only reduces storage cost, but also avoids collecting potentially malicious assets.

  • Pay attention to all the content that is displayed in your UGC images. For example, see if users have accidentally included private information displayed as text in the background.

    Better head off the iffy situations at the outset. Cloudinary’s OCR Text Detection and Extraction add-on scans images and detects any text there, which you can render unreadable by blurring or pixelating with a transformation setting. The images are then clean and usable. It’s always great practice to instill a sense of trust between you and your users.

  • Blur or pixelate faces in the background as well as the regions of your choice. Do be judicious and cautious about what you display; after all, many people are by no means thrilled about their photos being posted on the Internet.

In today’s digital world in which information is constantly being sought, security is more important than ever, and companies with a weak security infrastructure are vulnerable to cyber attacks. Therefore, when choosing your asset-management solution, be sure to explore in detail how it handles security. The extent of possible damage can be so devastating that it definitely pays to be aware and prepared.

Want to Learn More About UGC?

Recent Blog Posts

Amplify Your Jamstack With Video

By Alex Patterson
Amplify Your Jamstack With Cloudinary Video

As defined by Amazon Web Services (AWS), Amplify is a set of products and tools with which mobile and front-end web developers can build and deploy AWS-powered, secure, and scalable full-stack apps. Also, you can efficiently configure their back ends, connect them to your app with just a few lines of code, and deploy static web apps in only three steps. Historically, because of their performance issues, managing images and videos is a daunting challenge for developers. Even though you can easily load media to an S3 bucket with AWS Amplify, transforming, compressing, and responsively delivering them is labor intensive and time consuming.

Read more
Cloudinary Helps Move James Hardie’s Experience Online

While COVID has affected most businesses, it has been particularly hard on those that sell products for the physical ‘brick and mortar’ world. One company that literally fits that bill is our Australian customer James Hardie, the largest global manufacturer of fibre cement products used in both domestic and commercial construction. These are materials that its buyers ideally want to see up close, in detail. When customers have questions, they expect personal service.

Read more
How to Build an Enhanced Gravatar Service, Part 2

Part 1 of this post defines the capabilities of an enhanced Gravatar service, which I named Clavatar, and describes the following initial steps for building it:

This post, part 2 of the series, explains how to make Clavatar work like Gravatar and to develop Clavatar’s capabilities of enabling requests for various versions of the images related to user accounts.

Read more
How to Build an Enhanced Gravatar Service, Part 1

The advent of web development since 25 years ago has given birth to an abundance of online services that help developers build apps efficiently and smoothly. Gravatar is a shining example of such a service. Built by WordPress, Gravatar generates globally recognized avatars. Fun fact: 80 percent of Gravatar users first came across that service when reading a WordPress blog.

Read more