-
-
Notifications
You must be signed in to change notification settings - Fork 127
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow POSTing image #383
Comments
imagor is designed for transforming images on public endpoints. POST method can raise significant security concerns, making it unsuitable for public requests. However, it's worth noting that the POST method may be appropriate between private microservices. |
You mean that the URL of the image to be transformed is filtered according to the configuration, So, either opt-in in configuration as "unsafe-POST", or require the same HASH method for POST-ing: |
The POST endpoint may looks like this:
Where image key is empty. All in all POST requires a pretty big change to the current architecture. |
This would be awesome, we would like to use in as microservice, POST content and get another back to store in our system. |
I still fail to understand the security implications of exposing pushing image via POST. How is pushing a byte array to an image processor via POST less secure than the image processor pulling the same image via public url via GET? If attacker wants to process an image, it will get in regardless. This appears to be a cache/key issue and not a security one. |
Sorry for my incompetence, but why is POSTing explicitly forbidden?
For me it'd be way easier to POST the image to be transformed.
The text was updated successfully, but these errors were encountered: