I just read this page:

It says that image styles will append a token to the end of image URLs.

As an example, links that previously pointed to a URL like http: //example.com/sites/default/files/styles/thumbnail/public/field/image/example.png will now point to a URL like http: //example.com/sites/default/files/styles/thumbnail/public/field/image/example.png?itok=zD_VaCaD.

If a site changes the URLs of images, it can be bad for SEO. I've had Drupal sites with 1,000+ visits per day just from image searches, so image SEO is an issue that should be considered.

Maybe there is another way to fix the security problem other than changing URLs? URLs should never change...


John Pitcairn’s picture

Was wondering about this myself. I guess the only sane solution at present is to add the configuration variable to turn off the tokens.

J. Cohen’s picture

Is it a big security risk? What are the possible attacks that it would open a site up to?

John Pitcairn’s picture

There's the potential for a denial of service attack, but that's it. Realistically, every Drupal site using imagecache got by just fine without the tokens for years...

J. Cohen’s picture

Who should be contacted to remove that "feature" by default? It's going to mess up a lot of websites. Probably happened to one of mine, since the traffic went down when I upgraded to D7. I didn't even think to look at that possibility.

John Pitcairn’s picture

You'll need to argue with the Drupal security team. Good luck with that ;-)

scott.allison’s picture

Even though I fully support this security feature by default, in some cases it would be more practical to bypass this.

You are able to bypass the token requirement by adding the following to your settings.php file:

$conf['image_allow_insecure_derivatives'] = TRUE;

Even though this allows images to be created without the token, it still adds the token to the end of the url each time. If the token is not required it should not be added by image_style_url. The reason for keeping it is that if the image_allow_insecure_derivatives variable is set back to false, the links would remain valid. There should be a second variable for this purpose, to remove the token altogether.

WorldFallz’s picture

The drupal security team takes security very seriously and I have no doubt that they did a full risk/reward analysis before making such a change to core.

J. Cohen’s picture

There is no one who works on core who takes the SEO just as seriously? This might turn out to be a disaster for some websites and they will have no idea why their traffic dropped.

scott.allison’s picture

I would like to think the big search engines are smarter than that, but we all know they're not.

Have you noticed a significant or even minor effect from the upgrade to 7.20?

hanoii’s picture

Can most of who commented on this issue update on it as to whether the itok addition really had any impact in their SEO or was more a new panic thing and SEO traffic normalized after some time?

remaye’s picture

Yes, please give some of your experience feed-back.
It seems obvious the itok token had some impact at the moment of the 7.20 update, by changing the image url.
But did the sites experiencing it regain their initial state of SEO after a while ?
And does it seem to have impact on new sites built after 7.20 version ?