How to avoid image-resize attacks from side requests ?

[Awilum]

Hello!

I am using Glide in my Images service to manipulate images from side resources via Rest API https://flextype.org/documentation/rest-api/images
like it is https://imgix.com.

I see this example here https://glide.thephpleague.com/2.0/simple-example/

<img src="/img/users/<?=$user->id?>.jpg?w=300&h=400&fit=crop">

and it is fine to build urls in this way,

but then I read this: https://glide.thephpleague.com/2.0/config/security/
it's saying that it is not secure and we should use signatures and build URLs with help of UrlBuilderFactory.

GET /api/images/{path:.+}?VALID_ARGUMENTS&token=YOUR_IMAGES_TOKEN

I know know my YOUR_IMAGES_TOKEN but image signature is unique per each request.

And even on the current server I can't create request to the API by typing url with arguments, because it requires signature for security reason.

on https://imgix.com example, I don't see signatures (or I am wrong), how do they protect server from image-resize attacks ? any ideas ?

Is there some simple way to make secure requests without UrlBuilderFactory?
Is it possible to get signatures out of the server somehow in simple way?
Or maybe there is any other ways to protect server from image-resize attacks ?

[Art4]

We had the same problem. We solved it by defining ~10 presets and ignoring all other options in query string.

[Awilum]

I start thinking about: Is it right to do all this image processing on the fly with such a nice tool (on first look) like GLIDE and Intervention (under the hood)?

If we will have a few or 10 or 100 or even more images on the page, then we will need to run all this images processing stuff for each image (especially when the cache is cold) - and it is painful for the server. The server will just go down.

I think that we should not do this processing for each image, and especially on the same server where site is running.