Cloudinary Blog

User-Generated Content, Part 4: Security

Ensuring the Security of Assets Uploaded as User-Generated Content

Part 1 of this series highlights the basics of user-generated content (UGC) and its benefits for e-commerce. Part 2 describes how to leverage UGC images in e-commerce and efficiently upload, transform, and deliver them with Cloudinary. Part 3 focuses on videos in UGC and the many related management capabilities offered by Cloudinary.

Part 4 here suggests ways of rendering UGC media securely and free of harmful or inappropriate material, in particular by leveraging two configurations and an add-on in Cloudinary.

Site owners rightly assume that all UGC uploaded to their system originates from their users. Inevitably, however, with the ability for anyone to upload content to a site, others might want to see how much they can get away with, like large amounts of assets that overwhelm your system, files with embedded code, or, even worse, assets that contain malicious content. Regardless, you must take precautions against those misdeeds.

You can set up your system in many ways to handle your unique UGC workflow. In this case, a wise practice is to never serve on your site or app the original—that is, unprocessed—assets uploaded as UGC to avoid unknowingly delivering malicious content, which could have serious ramifications, typically leading to unwanted, adverse publicity.

What should you serve instead? A dynamic media platform like Cloudinary can help because it automatically processes all your non-original images and videos (aka transformed assets), ensuring that they are optimized and malware free. To apply this set of actions, all you have to do is simply apply any type of transformation through Cloudinary. Whether it be setting a crop mode, width, format, etc. all will lead to the processing of your asset.

Avoid serving original assets and set up more stringent security settings with Cloudinary, by doing the following:

  1. Set the asset’s type parameter to private in the upload to make the original asset private, i.e., invisible, to the public, allowing them to view the asset’s derivatives only. To view the original asset, one must have a signature-generated URL. (If you’ve already uploaded the asset, you can update it; see the related documentation for the procedure)

    Additionally, you can gain even more granular access to private asset-security measures with the following step:

  2. Enable the Strict Transformations setting to specify which derivatives (e.g., thumbnails) are viewable or allowed to be generated by anyone without the signature-generated URL.

Bear in mind it’s best to ensure security of your UGC not only for your business, but also for others. Inevitably, users might accidentally upload assets that expose private information about themselves or that include visuals of people who would balk at a public posting of their pictures. To alleviate those situations, here are some workflows to keep in mind:

  • Reject assets that are irrelevant to your e-business. For example, through automation, Cloudinary can detect if a face is present in the UGC images uploaded of people supposedly wearing the clothes that you sell, enabling you to set up the logic to automatically delete the rogue images. Such a workflow not only reduces storage cost, but also avoids collecting potentially malicious assets.

  • Pay attention to all the content that is displayed in your UGC images. For example, see if users have accidentally included private information displayed as text in the background.

    Better head off the iffy situations at the outset. Cloudinary’s OCR Text Detection and Extraction add-on scans images and detects any text there, which you can render unreadable by blurring or pixelating with a transformation setting. The images are then clean and usable. It’s always great practice to instill a sense of trust between you and your users.

  • Blur or pixelate faces in the background as well as the regions of your choice. Do be judicious and cautious about what you display; after all, many people are by no means thrilled about their photos being posted on the Internet.

In today’s digital world in which information is constantly being sought, security is more important than ever, and companies with a weak security infrastructure are vulnerable to cyber attacks. Therefore, when choosing your asset-management solution, be sure to explore in detail how it handles security. The extent of possible damage can be so devastating that it definitely pays to be aware and prepared.

Want to Learn More About UGC?

Recent Blog Posts

Partner news: Cloudinary-Getty Images Integration

Supported by intelligent automation, Cloudinary serves as an effective conduit between media asset management and delivery so you can take maximum advantage of assets, compress workflows, and build and coordinate engaging and inspiring customer experiences. Through Cloudinary’s Digital Asset Management (DAM) solution, which employs the company’s innovative image and video APIs, creative and marketing teams can benefit from them, as well as from many AI-powered and automated capabilities. As a result, you can transform, optimize, and deliver media at scale on an intuitive UI.

Read more
Why Audio in Video Matters

Many content creators and consumers tend to regard video as visuals, but that’s only part of the experience. Immersive video content includes strong audio. Just like in a movie, the audio for video content comprises many components: the narrator or subjects, the background music that sets the mood and draws viewers in, sound effects, and so forth.

Read more

For Developers: the HTML <picture> Element Explained

By Amarachi Amaechi
For Developers: the HTML <picture> Element Explained

We all know the good ol', tireless <img> element, which has been a long-time go-to for inserting graphics into webpages. Time doesn’t stop, however, and neither do technological advancements. So, let’s get you up to speed with the element’s modern alternative: the <picture> element.

Read more