Cloudflare 中文文档
Cloudflare Image Optimization
Cloudflare 中文文档
Cloudflare Image Optimization
编辑这个页面
跳转官方原文档
Set theme to dark (⇧+D)
  1. Products
  2. Cloudflare Image Optimization
  3. Transform images
  4. Control origin access

Control origin access

You can serve resized images without giving access to the original image. Images can be hosted on another server outside of your zone, and the true source of the image can be entirely hidden. The origin server may require authentication to disclose the original image, without needing visitors to be aware of it. Access to the full-size image may be prevented by making it impossible to manipulate resizing parameters.

All these behaviors are completely customizable, because they are handled by custom code of a script running on the edge in a Cloudflare Worker.

This code will be run for every request, but the source code will not be accessible to website visitors. This allows the code to perform security checks and contain secrets required to access the images in a controlled manner.

The examples below are only suggestions, and do not have to be followed exactly. You can compute image URLs and resizing options in many other ways.

​​ Hiding the image server

​​ Preventing access to full-size images

On top of protecting the original image URL, you can also validate that only certain image sizes are allowed:

​​ Avoid image dimensions in URLs

You do not have to include actual pixel dimensions in the URL. You can embed sizes in the Worker script, and select the size in some other way — for example, by naming a preset in the URL:

​​ Authenticated origin

Cloudflare image transformations cache resized images to aid performance. Images stored with restricted access are generally not recommended for resizing because sharing images customized for individual visitors is unsafe. However, in cases where the customer agrees to store such images in public cache, Cloudflare supports resizing images through Workers. At the moment, this is supported on authenticated AWS, Azure, Google Cloud, SecureAuth origins and origins behind Cloudflare Access.

When using this code, the following headers are passed through to the origin, and allow your request to be successful:

  • Authorization
  • Cookie
  • x-amz-content-sha256
  • x-amz-date
  • x-ms-date
  • x-ms-version
  • x-sa-date
  • cf-access-client-id
  • cf-access-client-secret

For more information, refer to: