如何在不泄露URL的情况下安全地在浏览器中呈现Azure存储的图像？

Say I have my file stored at (real credentials removed):

https://mystorageaccount.blob.core.windows.net/mycontainer/thumbnails/1234567890/thumbnail.jpg

A) This file is currently downloadable if I simply browse to it - I really don't think that should be possible.

B) I want to render this in my app without allowing the user to see the URL.

I am using PHP on the backend. Is there some method wherein I download the image to the server and render it from there? Is that efficient?

Any thoughts appreciated.

These are the options you have:

1. Make the blobs/container public and embed with the public URL
2. Generate a temporary SAS token for the blob and embed with URL + SAS token
3. Download the blob from your backend with a storage key and stream it through it to the client

With option 1 the file must be publicly accessible, which I guess you don't want.

That leaves options 2 and 3.

If you are okay with revealing the URL, but only giving the user temporary access to the file, option 2 can be a good one.

Otherwise you only have option 3.

The good side of options 1 and 2 is that the blob download happens from Storage to user directly, and your app doesn't have to spend time/bandwidth on streaming files.