Content protection

The content protection features can be used to restrict content to users.

URL Signing

Assets served by Warpcache can be protected using signed urls. This allows your content to be available for a limited time. Signed URLs can be generated by your backend system. The parameters for the signed urls can be configured per vhost on the secure content page in the portal.

Configure content protection

Secured url that expires when the TTL is reached:

token    = MD5("/pdf/file.pdf?ttl=1593350511&pass=verysecretpassphrase") # == "4165eba9eb5fd916b363c6639d776935"
URL      = ""

Secured url that does not expire:

input    = MD5("/Movies/Infinite.mp4?pass=verysecretpass") # == "2eca74fb305fdbc1dde50e6075f2b1ea"
output   = "http://"

Securing a directory using a token

To allow a single token to access a full directory, directory mode can be used:

token    = MD5("/pdf/?l=0&ttl=1593350623&pass=verysecretpassphrase") # == "1dc4538f5afbd99844ccb9f63ea8ba2a"
URL      = ""

To aid you with developing and testing the signed URL implementation we provide you with a command line utility for generating signed URLs.

Download the script here

$ ./ -h
usage: [-h] [--ttl TTL] --secret SECRET --name NAME [--domain DOMAIN] [--path PATH] [--directory-mode] [--plain]

Generate a secure url

optional arguments:
  -h, --help        show this help message and exit
  --ttl TTL       Token expiration time in seconds
  --secret SECRET   Secret used to hash
  --name NAME       token name as url parameter
  --domain DOMAIN   domain for creating a url
  --path PATH       Path to secure
  --directory-mode  Allow access with a single token to all files in the directory that given file to secure belongs to
  --plain, -p       Only print the URL without verbose information


$ ./ --domain --secret verysecretpassphrase --name token --path /pdf/file.pdf --ttl 3600
input    = MD5("/pdf/file.pdf?ttl=1593351422&pass=verysecretpassphrase")
output   = "/pdf/file.pdf?ttl=1593351422&token=9cf5abe27c7379bcda6d5a1b881a1c8d"

Full URL =

Header based geoblocking

Note: For this feature to be enabled. Please create a support ticket.

Your origin may define geoblock parameters in the response headers. The headers will be used by the CDN edges to deny or allow access to objects/assets based on the country derived from the IP of the requesting user. This allows you to control the access per object.

Header name Header value
X-Geoblock-Type DenyExcept or AllowExcept
X-Geoblock-Countries ISO-31661 2-letter notation country

Example geoblock type AllowExcept; Object will be available in every country except the Benelux (Belgium, Netherlands, Luxembourg).

X-Geoblock-Type: AllowExcept
X-Geoblock-Countries: NL,BE,LU

Example geoblock type DenyExcept; Object will only be available in the Benelux (Belgium, Netherlands, Luxembourg).

X-Geoblock-Type: DenyExcept
X-Geoblock-Countries: NL,BE,LU