This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

Google Cloud Media CDN signature with headers

Posted on 02-03-2025 10:13 PM
jainnaman16
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Hi Team,

I am trying to generate signed URLs to access manifest/HLS files in one of our private buckets. I am following this documentation: Generating Signed URLs to generate signed path URLs, allowing the media player to fetch all HLS files within the path.

I have successfully generated signed path components using the following pattern, and the links work as expected in the media player:

 

 

https://domain.com/{pathToFile}/edge-cache-token=Expires={expiryTime}&KeyName=myKey&Signature={generatedSignature}/playlist.m3u8

 

 

However, I would like to enhance security by restricting access to requests that include specific custom headers with predefined values.

According to the documentation, we can pass HeaderName and HeaderValue while generating the signature (Optional Signature Fields), and these values will be validated at the Media CDN level.

To implement this, I added HeaderName={myHeader} and HeaderValue={myHeaderValue} while generating the signature as follows:

 

 

urlPatternToSign := fmt.Sprintf("%sedge-cache-token=Expires=%d&KeyName=%s&HeaderName=%s&HeaderValue=%s", prefixUrl, expirationTimestamp, keyName, "myheader", "myheadervalue")

 

 

 This approach correctly verifies the headers from the request and produces the expected output. However, it also requires including HeaderName and HeaderValue in the URL itself, which exposes these values—defeating the purpose of using opaque identifiers in the request.

Example:

 

 

urlPatternToSign := fmt.Sprintf("%sedge-cache-token=Expires=%d&KeyName=%s&HeaderName=%s&HeaderValue=%s", prefixUrl, expirationTimestamp, "my-key", "myheader", "myheadervalue")

 

 

Could you clarify if my understanding is incorrect or if I am missing something in the implementation? Ideally, I want the request to be validated using headers without exposing them in the URL itself.

Any help from the team would be really appreciated. 

 

0 3 434
Topic Labels
0 Likes
3 REPLIES 3
Top Labels in this Space