Hotlink Protection
For our CDN, we have developed a feature that allows you to use JWT tokens to secure access to assets on the CDN. To use this feature, you need to enable it in the Scalia Portal and supply the JWT secret for the HS256 encryption. After enabling, each CDN URL has to be followed by the GET parameter token, followed by the generated JWT token.
Enabling JWT Protection
To use this feature, please follow a few simple steps:
- Enable the feature in the Scalia Portal. This can be done by logging in to your account and navigating to the configuration section of the preferred CDN entry.
- From the configuration wizard toggle “JWT Protection” and supply a secret key. This key should be kept secure and not shared with unauthorised individuals.
- After selecting "Save", the CDN will not serve any assets without having proper authentication in the form of a token.
Generating a Token
In most cases the client application will generate and supply an end user with an JWT Token. Scalia JWT Protection requires a token with the following format.
| Header | Required | Value |
|---|---|---|
| alg | Yes | HS256 |
| typ | Yes | JWT |
| Claim | Required | Remark |
|---|---|---|
| iat | Yes | Unix timestamp; time of generating the Token |
| nbf | Yes | Unix timestamp; time when token will be valid |
| exp | Yes | Unix timestamp; time when token will expire |
| file | No | String; path of the asset which will be bound to the token |
| ip | No | String; IP which will be bound to the token |
We recommend using the available tooling at jwt.io, you may find an example of an JWT token with all the above Claims here.
Evaluation
Tokens are evaluated in sequence, with each claim being evaluated one at a time. If any of the evaluations appear invalid, the access to the asset will be rejected. The following is a more detailed explanation of the token evaluation process:
- Signature Verification: The first step is to verify the token signature using the secret key. This ensures that the token has not been tampered with and was issued by a trusted party.
- Not Before Check: The not-before (nbf) claim is checked to ensure that the token is not being used before its intended time. If the current time is before the nbf claim, access to the asset will be denied.
- Expiration Check: Next, the expiration time (exp) claim is checked to ensure that the token has not expired. If the token has expired, access to the asset will be denied.
- File Check: The file claim is checked to ensure that the token was issued for the requested asset. If the file does not match the request path, access to the asset will be denied.
- IP Check: The IP (ip) claim is checked to ensure that the token was intended for the current requester. If the remote IP of the requester does not match ip , access to the asset will be denied.
Implementation
After generating the token and signing it with the secret key it can be used within the Scalia CDN. To use the feature, you must append the token parameter to the CDN URL followed by your generated JWT token. For example:
https://cdn.example.com/assets/image.jpg?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9....
By following these simple steps, you can quickly and easily enable the JWT token authentication feature and enjoy secure access to your assets on the CDN. This feature provides an additional layer of security to ensure that only authorised individuals can access the files on the network.
Overall, the use of JWT tokens is a secure and easy way to protect assets on a CDN. With the JWT token authentication feature, you can enjoy peace of mind, knowing that your assets are secure and protected from unauthorised access.