New user here, hopefully these questions aren’t dumb. I’ve created a custom key to fetch transformed images. It works well, but I have some questions about security.
Under my custom key rule I’ve just put:
/api/cockpit/image
I have two questions:
- Will that open an attack vector where anyone could run a ton of resize requests with the token and crash my site?
- Does that token allow people to do other untoward things to my /api/cockpit/image folder? Like upload nasty things? Or are the custom keys just about allowing read access?
Any insight would be appreciated. Thanks!