Security
Rendorix serves public image GETs. Security does not rely on hiding URLs—browsers and CDNs must fetch images for your pages. The model is defense in depth: HMAC-signed URLs with expiry, edge validation before expensive work, least-privilege IAM to S3, and solid secret and logging practices.
Details: HMAC signing, Expiration. For why signing exists at all, see Signed URLs.
Threat model
Section titled “Threat model”| Threat | Mitigation |
|---|---|
| Open “any transform” API | HMAC over a fixed parameter set; reject unsigned or tampered requests. |
| Cost / capacity burn (Lambda, S3) | Presets and allowlists; WAF or rate limits in front of CloudFront; cache to cap unique variants (Tradeoffs). |
| Stolen or copied links | Short exp where acceptable; monitor abuse; no secrets in the query string. |
| Query tampering (preset, path, exp) | Signature covers all security-relevant fields; any change breaks the MAC. |
| Secret leak (git, client bundle) | Secrets only in server/CI; rotate on suspicion; pre-commit scanning. |
| Over-broad S3 IAM | Least privilege per prefix; separate prod/dev buckets when practical. |
Rendorix is not DRM: if someone can read a URL, they can replay it until exp. Long HTTP cache TTL can still serve bytes from an edge cache; see TTL and Expiration.
For regulated environments (PCI, HIPAA, etc.), map these patterns to your compliance program—this documentation is architecture guidance, not a compliance attestation.
Secret management (high level)
Section titled “Secret management (high level)”- What — The HMAC key (or future signing material); treat it like a production credential.
- Where — CI secrets for static builds; runtime env, AWS Secrets Manager, or SSM for SSR. Never
NEXT_PUBLIC_*or client bundles. - Rotation — Support overlapping verification keys during rollover if your edge can try key id or versioned secrets (document the runbook in infra).
- Access — Limit who can read prod secrets and who can deploy signing logic.
Operational controls
Section titled “Operational controls”- Logging — Structured metrics for 403 due to bad signature vs expired URL; avoid logging full secrets or signing inputs in insecure sinks.
- Metrics — Edge 4xx rate, Lambda errors, S3 error rates, CloudFront cache hit ratio.
- Incidents — Rotate HMAC on suspected key exposure; remember that invalidation alone does not revoke long-lived URLs already issued—short
explimits blast radius.