Cloudinary Blog

User-Generated Content, Part 4: Security

Ensuring the Security of Assets Uploaded as User-Generated Content

Part 1 of this series highlights the basics of user-generated content (UGC) and its benefits for e-commerce. Part 2 describes how to leverage UGC images in e-commerce and efficiently upload, transform, and deliver them with Cloudinary. Part 3 focuses on videos in UGC and the many related management capabilities offered by Cloudinary.

Part 4 here suggests ways of rendering UGC media securely and free of harmful or inappropriate material, in particular by leveraging two configurations and an add-on in Cloudinary.

Site owners rightly assume that all UGC uploaded to their system originates from their users. Inevitably, however, with the ability for anyone to upload content to a site, others might want to see how much they can get away with, like large amounts of assets that overwhelm your system, files with embedded code, or, even worse, assets that contain malicious content. Regardless, you must take precautions against those misdeeds.

You can set up your system in many ways to handle your unique UGC workflow. In this case, a wise practice is to never serve on your site or app the original—that is, unprocessed—assets uploaded as UGC to avoid unknowingly delivering malicious content, which could have serious ramifications, typically leading to unwanted, adverse publicity.

What should you serve instead? A dynamic media platform like Cloudinary can help because it automatically processes all your non-original images and videos (aka transformed assets), ensuring that they are optimized and malware free. To apply this set of actions, all you have to do is simply apply any type of transformation through Cloudinary. Whether it be setting a crop mode, width, format, etc. all will lead to the processing of your asset.

Avoid serving original assets and set up more stringent security settings with Cloudinary, by doing the following:

  1. Set the asset’s type parameter to private in the upload to make the original asset private, i.e., invisible, to the public, allowing them to view the asset’s derivatives only. To view the original asset, one must have a signature-generated URL. (If you’ve already uploaded the asset, you can update it; see the related documentation for the procedure)

    Additionally, you can gain even more granular access to private asset-security measures with the following step:

  2. Enable the Strict Transformations setting to specify which derivatives (e.g., thumbnails) are viewable or allowed to be generated by anyone without the signature-generated URL.

Bear in mind it’s best to ensure security of your UGC not only for your business, but also for others. Inevitably, users might accidentally upload assets that expose private information about themselves or that include visuals of people who would balk at a public posting of their pictures. To alleviate those situations, here are some workflows to keep in mind:

  • Reject assets that are irrelevant to your e-business. For example, through automation, Cloudinary can detect if a face is present in the UGC images uploaded of people supposedly wearing the clothes that you sell, enabling you to set up the logic to automatically delete the rogue images. Such a workflow not only reduces storage cost, but also avoids collecting potentially malicious assets.

  • Pay attention to all the content that is displayed in your UGC images. For example, see if users have accidentally included private information displayed as text in the background.

    Better head off the iffy situations at the outset. Cloudinary’s OCR Text Detection and Extraction add-on scans images and detects any text there, which you can render unreadable by blurring or pixelating with a transformation setting. The images are then clean and usable. It’s always great practice to instill a sense of trust between you and your users.

  • Blur or pixelate faces in the background as well as the regions of your choice. Do be judicious and cautious about what you display; after all, many people are by no means thrilled about their photos being posted on the Internet.

In today’s digital world in which information is constantly being sought, security is more important than ever, and companies with a weak security infrastructure are vulnerable to cyber attacks. Therefore, when choosing your asset-management solution, be sure to explore in detail how it handles security. The extent of possible damage can be so devastating that it definitely pays to be aware and prepared.

Want to Learn More About UGC?

Recent Blog Posts

On-Demand Viewing of Live Video Presents New Opportunities

In early 2020, Cloudinary was planning its fourth annual ImageCon conference, a two-day event in the heart of San Francisco, where we’d congregate with curious digital-media minds to brainstorm best practices for media management. Instead, the COVID-19 pandemic forced the entirety of ImageCon 2020 online. As with all other events being planned, we had to overhaul the content to be communicated on video. Gratifyingly, we found the right partner—the event platform Bizzabo—to turn that into a reality.

Read more
Why the Future of E-commerce Is Live

In a previous post, I discussed how “going live” is gaining popularity across industries and verticals. What began as a way for gamers to jam together has evolved into a medium for broader entertainment and business purposes. To continue the conversation, this post unpacks the current trends of shoppable live streams to shine a light on how brands are leveraging “lives” to connect with shoppers in new ways.

Read more
An Overview of Live-Streaming Video Trends

“Let’s go live.” For decades, that’s what newscasters say as they cut to real-time footage of a colleague reporting in the field. The live-video feed adds visual interest and perspective to a story beyond what can be communicated by someone sitting behind the news desk. In the same way, live-streaming video nowadays adds context to other consumer environments. From gaming and events to shopping and social media, “going live” enhances everyday experiences, and it’s something anyone can do with relative ease.

Read more
Readying Live Streams for Video on Demand

When planning a live broadcast or stream, companies often overlook the redistribution phase, but live-stream videos are useful well beyond their initial streaming. Why? Because not everyone watches the first run. For a wider audience, it makes sense to repost live content on your website under an “events” tab, on YouTube, and other social sites for video on demand (VOD). However, preparing footage for reposting can be a lot of work.

Read more