When we consider the role security plays in our application, it is easy to see how to control our own resources, but easy to forget about the security resources we rely on external cloud services for. Fortunately, services such as Cloudinary have easy built-in tools to secure resources using the authentication type option upon upload.

The secure signing of our images with Cloudinary relies on the secret key information we initially configured in our /middleware/cloudinary.js middleware. Signing provides an effective mechanism to encrypt the parameters of the request, including its public_id and options, into a format that can't be changed by the client making the API request. Ultimately, it provides a modicum of protection from users being able to guess an image resource's URL for Cloudinary, even if they know the public_id of the image in Cloudinary and the cloud-name property for our Cloudinary account. Instead, the only reliable source for these URLs comes from our Express API, which through a redirect response effectively masks the URL for Cloudinary from the user. It appears that the image is taken from our Express web server instead of an external cloud storage service.