Transformations - Using Security

The transformation engine works with Filestack's existing security. You can pass your policy and signature as one of the transformation tasks.

Note: The maximum accepted image size is 100,000,000 pixels. An image with this many pixels could have width and height combinations like 10,000 x 10,000 or 5,000 x 20,000, etc. There is also a file size restriction. Filestack will not convert an image that is larger than 256mb. Please contact us if you require the ability to process larger files than our current limits.

Security Task URL Formats:
https://process.filestackapi.com/security=[options]/Filestack_FileLink_Handle
or
https://process.filestackapi.com/<API_KEY>/security=[options]/File_URL
security=policy:your_base64_encoded_policy
String

Can be abbreviated as p:your_base64_encoded_policy

Filestack file policies are URL safe, Base64, JSON parseable strings. To generate a policy, create a json object with the appropriate key value pairs. Then base64 encode it. URL safe is achieved by replacing '+' with '-' and '/' with '_'. Base64 also includes a trailing '=' as padding. You will need to leave this character in the string in order for it to be valid.policy:eyJoYW5kbGUiOiJLVzlFSmhZdFM2eTQ4V2htMlM2RCIsImV4cGlyeSI6MTUwODE0MTUwNH0=

security=signature:your_HMAC-SHA256_hex_encoded_signature
String

Can be abbreviated as s:your_HMAC-SHA256_hex_encoded_signature

The signature is a hex encoded string with lowercase letters. There are common libraries for calculating HMAC-SHA256 on a variety of languages. It is advisable to use a well tested and vetted library as opposed to writing your own. You can also generate policies and signatures in the Filestack developer portal in the Security section with the debugging tool.signature:4098f262b9dba23e4766ce127353aaf4f37fde0fd726d164d944e031fd862c18.

A note on security policy best practices: The examples here use a global security policy with a long expiration length. This is solely to illustrate the structure and usage of security in the new transformation engine. It would not be considered safe. Ideally Filestack customers should generate policies on a case by case (read only, convert only, pick only) basis each with short expiration periods rather than setting a global policy that covers all uses. This protects your data and the data of your users.

Security Examples

Image Uploaded using a Filestack Account without Security Enabled and then transformed on an account that has security turned on

In this situation, the transformation requires a policy and signature in order for it to be performed, but only the Filestack handle is required from the source image

Filestack image url that is not secure that has been rotated using an account that is using Filestack security

Image Uploaded using a Filestack Account with Security Enabled and then transformed on the same account

In this situation, the transformation requires a policy and signature in order for it to be performed, and the url to be transformed requires a policy and signature in order for it to be accessed. This can become quite cumbersome, so we have instituted a change where security policy and signature can be omitted for filelinks when they were created by the same application that will be performing the conversion.

image that uses Filestack security and is being rotated with an account that uses security as well

External source image transformed using a Filestack Account with Security Enabled

In this situation, the transformation requires a policy and signature in order for it to be performed, but the url to be transformed does not because it is from outside the Filestack security ecosystem.

image from an external source that is being rotated with an account that has security enabled