I'm curious about how Instagram manages to secure images on private accounts, particularly when you can access public images easily elsewhere, like on X/Twitter. For example, if you make your S3 bucket public while setting up a social media platform, how can you ensure that only followers can view images tied to private accounts? I've noticed that on Instagram, there's no 'copy image address' option in the web version. If they're including images in their frontend, how are they preventing users from accessing them directly? Is there a way to programmatically allow or deny access based on whether someone follows the account?
4 Answers
For private images, Instagram uses signed URLs, which are temporary links that expire after a short time. If you grab one of these links before it expires, even non-followers can view it.
If you inspect the webpage, you can actually find the image URLs. They tend to place transparent elements over the images, which prevents users from accessing the context menu for the image, giving the illusion that you're not able to do much with them. It's a clever trick!
Thanks for the insight!
Yes, it’s definitely feasible to serve images based on user authentication through things like cookies. Many sites keep images on secure servers with tough-to-guess URLs, or use cryptographic keys to access temporary URLs. This can make delivery through a CDN seamless without needing deep integration with the app's auth processes.
So, do they have permanent storage, or is it all generated on demand from a private server?
Instagram does include `` tags for images. However, the URLs seem to be dynamically generated with short expiration times. This means you can access private images just after generating the URL, but it won't last long, especially if you're not logged in. For videos, they stream data as blobs to a custom player.
Interesting! I wonder if X does something similar, since it seems odd that you can see and share images from a private account.
It’s likely they’re using `pointer-events: none` to disable right-clicking on images. Plus, there are metadata elements in the URLs that track users.