Secure Media File Access via Password-Protected Proxy URLs
Updated
This article outlines the process for securely handling media in Sprinklr through proxy-based, password-protected URLs.
Background
When media is uploaded and shared across various channels, it becomes essential to ensure that only authorized users can access this content, particularly when the final destination is a secure internal system.
The earlier media access URLs were not sufficiently secure. Media files shared via public URLs could potentially be accessed by unauthorized individuals, as there was no verification process for users outside of Sprinklr. This raises concerns around data protection, content leakage, and unauthorized access.
Solution
Solution uses unique password-protected proxy URLs routed through a proxy server for authentication.
Passwords are set per URL in the Guided Workflow and cannot be changed once created.
Correct password grants media access; incorrect password shows an error page.
Web Application Firewall (WAF) protects against brute-force and malicious attacks at the proxy layer.
Sprinklr follows an hybrid approach that combines the advantages of proxy routing and password protection.
Implementation Steps
Password setup is integrated into the Guided Workflow by using the Update Properties node on the Guided Workflow Canvas.
On the Guided Workflow Canvas, add an Update Properties node.
In the Select/Create Fields to update their values field, define a variable and use the function com.spr.bots.util.MEDIA_PROXY_UTILS.generatePasswordProxyUrlForMedia(urlString, passwordString)
In the Custom Code window, provide the actual media URL and the password you want to assign for accessing this media in the following format.
Replace https://sprcdn-assets.sprinklr.com/<media_file_path>/<file_name>.mp4 with the actual media URL.
Replace "yourPasswordHere" with the password you want to assign for accessing this media.
After adding click Save on the Enter Custom Code window and Update Properties window. Add End Execution node.
When the workflow is triggered, a new proxy link is generated. This link is password-protected.
When the proxy link is accessed, a prompt to enter the password set in the workflow is displayed. Only the correct password allows access to the media.
Note: Once a password is set for a URL, it cannot be changed. If the password is incorrect, an error page is shown. The password is not visible after entry, and copying the URL after viewing the media will not work for unauthorized access.