Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
By Z2222 on
I just read this page:
http://drupal.org/drupal-7.20-release-notes
It says that image styles will append a token to the end of image URLs.
As an example, links that previously pointed to a URL like http: //example.com/sites/default/files/styles/thumbnail/public/field/image/example.png will now point to a URL like http: //example.com/sites/default/files/styles/thumbnail/public/field/image/example.png?itok=zD_VaCaD.
If a site changes the URLs of images, it can be bad for SEO. I've had Drupal sites with 1,000+ visits per day just from image searches, so image SEO is an issue that should be considered.
Maybe there is another way to fix the security problem other than changing URLs? URLs should never change...
Comments
Was wondering about this
Was wondering about this myself. I guess the only sane solution at present is to add the configuration variable to turn off the tokens.
Is it a big security risk?
Is it a big security risk? What are the possible attacks that it would open a site up to?
There's the potential for a
There's the potential for a denial of service attack, but that's it. Realistically, every Drupal site using imagecache got by just fine without the tokens for years...
Who should be contacted to
Who should be contacted to remove that "feature" by default? It's going to mess up a lot of websites. Probably happened to one of mine, since the traffic went down when I upgraded to D7. I didn't even think to look at that possibility.
You'll need to argue with the
You'll need to argue with the Drupal security team. Good luck with that ;-)
Even though I fully support
Even though I fully support this security feature by default, in some cases it would be more practical to bypass this.
You are able to bypass the token requirement by adding the following to your settings.php file:
$conf['image_allow_insecure_derivatives'] = TRUE;Even though this allows images to be created without the token, it still adds the token to the end of the url each time. If the token is not required it should not be added by image_style_url. The reason for keeping it is that if the image_allow_insecure_derivatives variable is set back to false, the links would remain valid. There should be a second variable for this purpose, to remove the token altogether.
_
The drupal security team takes security very seriously and I have no doubt that they did a full risk/reward analysis before making such a change to core.
Images
There is no one who works on core who takes the SEO just as seriously? This might turn out to be a disaster for some websites and they will have no idea why their traffic dropped.
I would like to think the big
I would like to think the big search engines are smarter than that, but we all know they're not.
Have you noticed a significant or even minor effect from the upgrade to 7.20?
Can most of who commented on
Can most of who commented on this issue update on it as to whether the itok addition really had any impact in their SEO or was more a new panic thing and SEO traffic normalized after some time?
Yes, please give some of your
Yes, please give some of your experience feed-back.
It seems obvious the itok token had some impact at the moment of the 7.20 update, by changing the image url.
But did the sites experiencing it regain their initial state of SEO after a while ?
And does it seem to have impact on new sites built after 7.20 version ?
Thanks.