Why Does Changing the Signature Still Allow Access to My Private HLS on Cloudinary?

Igaligal

I’m new here and need some help with securing video links on Cloudinary. I’m using Python to upload a video as private and also setting up strict transformations, but changing the signature in the URL still allows access.

Here’s what I’m doing:

1. Enable Strict Transformations in the Cloudinary Settings → Security tab.
2. Create and update a named transformation and allow it for strict transformations:
   cloudinary.api.create_transformation( name="my_named_t_1080", definition={ "width": 1920, "height": 1080, "crop": "limit", "bit_rate": "3500k" })cloudinary.api.update_transformation( transformation="my_named_t_1080", allowed_for_strict=True)
3. Create a streaming profile (test8) referencing that transformation (and allow it under strict transformations).
4. Upload the video (private) with an eager transformation:
   import cloudinaryimport cloudinary.uploaderimport cloudinary.apiresponse = cloudinary.uploader.upload( file_path, public_id=public_id, folder=folder, resource_type="video", sign_url=True, type='private', # ensures the video is not publicly accessible eager=[ { "streaming_profile": "test8", "format": "m3u8", "type": "private", "sign_url": True } ], invalidate=True, secure=True, eager_async=False)

Now, the HLS URL I get is something like:
https://res.cloudinary.com/<cloud_name>/video/private/s--aaaabbbb--/sp_test8/series/1/0_6.m3u8

The Problem: When I manually alter the signature part (e.g., s--aaaabbbb-- to some random text), the URL still works—I expected a 403 or some error saying the signature is invalid.

Questions:

• Why does changing the signature still allow me to play the video, even though I have strict transformations enabled?
• Is there a specific setting or approach I’m missing to ensure an incorrect signature always fails? Thank you for any help or clarification. If there’s a recommended approach to truly invalidate a changed signature I’d love to know.