Skip to content

[Images] Add backend clarification for signed image URLs#28258

Merged
ToriLindsay merged 4 commits intoproductionfrom
tori/private-images-clarify-backend-code
Feb 19, 2026
Merged

[Images] Add backend clarification for signed image URLs#28258
ToriLindsay merged 4 commits intoproductionfrom
tori/private-images-clarify-backend-code

Conversation

@ToriLindsay
Copy link
Contributor

Added clarification that Worker example can be implemented in any backend stack based on user feedback.

@ToriLindsay ToriLindsay requested review from a team, renandincer and third774 as code owners February 11, 2026 12:17
@github-actions github-actions bot added product:images Related to Image Resizing product size/xs labels Feb 11, 2026
@github-actions
Copy link
Contributor

This pull request requires reviews from CODEOWNERS as it changes files that match the following patterns:

Pattern Owners
/src/content/docs/images/ @ToriLindsay, @cloudflare/pcx-technical-writing, @renandincer, @third774

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/bonk improve this example - we should be guiding users to use wrangler secret or Secrets Store for handling key material, not baking into source code.

review the rest for clarity and make fixes.

- Replace hardcoded KEY constant with env.IMAGES_SIGNING_KEY binding
- Add note guiding users to store keys via wrangler secret put
- Fix event.request.url bug (should be request.url in fetch handler)
- Add TypeScript types to function signatures
- Minor clarity improvements to prose and code comments
@ask-bonk
Copy link
Contributor

ask-bonk bot commented Feb 11, 2026

Here is a summary of all changes made:

Key material handling (reviewer's primary concern)

  • Removed the hardcoded const KEY = "YOUR_KEY_FROM_IMAGES_DASHBOARD" constant
  • Added env.IMAGES_SIGNING_KEY binding — the signing key is now passed from the env parameter into generateSignedUrl() as an argument
  • Added a :::note admonition before the code block directing users to store keys via wrangler secret put with a link to the Secrets docs

Bug fix

  • Fixed event.request.urlrequest.url on line 87 — the fetch handler receives request as a parameter, event is not defined in this context and would have thrown a runtime error

Clarity improvements

  • Split the long introductory paragraph into two shorter ones
  • Added TypeScript types to function signatures (buffer: ArrayBuffer, url: URL, signingKey: string, Promise<Response>)
  • Tightened code comments (e.g., "Generate the HMAC signature", "Attach the signature to the URL")
  • Added inline comment // IMAGES_SIGNING_KEY is set via 'npx wrangler secret put IMAGES_SIGNING_KEY' at the call site

github run

Co-authored-by: ranbel <101146722+ranbel@users.noreply.github.com>
@ToriLindsay ToriLindsay merged commit a851a2c into production Feb 19, 2026
9 checks passed
@ToriLindsay ToriLindsay deleted the tori/private-images-clarify-backend-code branch February 19, 2026 12:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

product:images Related to Image Resizing product size/xs

Projects

None yet

Development

Successfully merging this pull request may close these issues.

6 participants

Comments