cloudinary · const-cloudinary · Sep 17, 2025
diff --git a/src/Configuration/CloudConfig.php b/src/Configuration/CloudConfig.php
@@ -29,7 +29,7 @@ class CloudConfig extends BaseConfigSection
 
     public const CONFIG_NAME = 'cloud';
 
-    public const DEFAULT_SIGNATURE_ALGORITHM = Utils::ALGO_SHA1;
+    public const DEFAULT_SIGNATURE_ALGORITHM = Utils::ALGO_SHA256;
     public const DEFAULT_SIGNATURE_VERSION = 2;
 
     // Supported parameters

diff --git a/src/Configuration/UrlConfig.php b/src/Configuration/UrlConfig.php
@@ -17,6 +17,7 @@
  *                                                non-secure HTTP pages.
  * @property bool  $forceVersion                  By default, set to self::DEFAULT_FORCE_VERSION.
  * @property mixed $responsiveWidthTransformation The transformation to use with responsive width.
+ * @property bool  $longUrlSignature              Whether to use long URL signature.
  *
  * @api
  */
@@ -54,6 +55,11 @@ class UrlConfig extends BaseConfigSection
      */
     public const DEFAULT_SECURE = true;
 
+    /**
+     * Default value for long URL signature.
+     */
+    public const DEFAULT_LONG_URL_SIGNATURE = true;
+
     /**
      * Default value for forcing version.
      */
@@ -155,7 +161,7 @@ class UrlConfig extends BaseConfigSection
      *
      * @see https://cloudinary.com/documentation/advanced_url_delivery_options#generating_delivery_url_signatures
      */
-    public ?bool $longUrlSignature = null;
+    protected ?bool $longUrlSignature = null;
 
     /**
      * Set to true to use shorten asset type.

diff --git a/tests/Unit/Asset/AssetAuthTokenTest.php b/tests/Unit/Asset/AssetAuthTokenTest.php
@@ -14,6 +14,7 @@
 use Cloudinary\Asset\Image;
 use Cloudinary\Asset\DeliveryType;
 use Cloudinary\Transformation\Scale;
+use Cloudinary\Utils;
 use UnexpectedValueException;
 
 /**
@@ -94,6 +95,8 @@ public function testNullToken()
         $this->image->authToken->config->key = null;
 
         $this->image->cloud->apiSecret = 'b';
+        $this->image->cloud->signatureAlgorithm = Utils::ALGO_SHA1;
+        $this->image->urlConfig->longUrlSignature = false;
 
         self::assertImageUrl(
             's--v2fTPYTu--/'.self::EXPECTED_VERSIONED_PATH,

diff --git a/tests/Unit/Asset/DistributionTest.php b/tests/Unit/Asset/DistributionTest.php
@@ -16,6 +16,7 @@
 use Cloudinary\Configuration\Configuration;
 use Cloudinary\Configuration\UrlConfig;
 use Cloudinary\Exception\ConfigurationException;
+use Cloudinary\Utils;
 
 /**
  * Class DistributionTest
@@ -215,8 +216,11 @@ public function testCNameSubDomain()
         );
     }
 
-    public function testSignature()
+    public function testShortSignatureWithSHA1()
     {
+        $this->image->urlConfig->longUrlSignature = false;
+        $this->image->cloud->signatureAlgorithm = Utils::ALGO_SHA1;
+
         self::assertImageUrl('s--MDvxhRxa--/' . self::IMAGE_NAME, $this->image->signUrl());
     }
 
@@ -226,7 +230,6 @@ public function testSignature()
     public function testLongSignature()
     {
         $this->image->urlConfig->signUrl          = true;
-        $this->image->urlConfig->longUrlSignature = true;
 
         self::assertImageUrl('s--RVsT3IpYGITMIc0RjCpde9T9Uujc2c1X--/' . self::IMAGE_NAME, $this->image);
     }

diff --git a/tests/Unit/Asset/MediaFromParamsTest.php b/tests/Unit/Asset/MediaFromParamsTest.php
@@ -472,6 +472,9 @@ public function testMediaSignedUrl($options, $expectedPath)
 
         Configuration::instance()->cloud->apiSecret = 'b';
 
+        Configuration::instance()->cloud->signatureAlgorithm = Utils::ALGO_SHA1;
+        Configuration::instance()->url->longUrlSignature = false;
+
         $deliveryType = ArrayUtils::get($options, 'type', DeliveryType::UPLOAD);
 
         self::assertMediaFromParamsUrl(
@@ -490,17 +493,18 @@ public function testMediaSignedUrl($options, $expectedPath)
     public function expectedFileSignatures()
     {
         return [
-            'Should sign an URL with a short signature by default'                   => [
+            'Should sign an URL with a short signature if long_url_signature is false' => [
                 [
                     'sign_url' => true,
                     'source'   => 'sample.jpg',
+                    'long_url_signature' => false,
+                    'signature_algorithm' => Utils::ALGO_SHA1,
                 ],
                 's--v2fTPYTu--',
             ],
-            'Should sign an URL with a long signature if long_url_signature is true' => [
+            'Should sign an URL with a long signature by default' => [
                 [
                     'sign_url'           => true,
-                    'long_url_signature' => true,
                     'source'             => 'sample.jpg',
                 ],
                 's--2hbrSMPOjj5BJ4xV7SgFbRDevFaQNUFf--',

diff --git a/tests/Unit/Utils/ApiUtilsTest.php b/tests/Unit/Utils/ApiUtilsTest.php
@@ -320,13 +320,13 @@ public function testApiSignRequestWithGlobalConfig()
 
         $params = $initialParams;
         Configuration::instance()->cloud->apiSecret = self::API_SIGN_REQUEST_TEST_SECRET;
-        Configuration::instance()->cloud->signatureAlgorithm = Utils::ALGO_SHA256;
+        Configuration::instance()->cloud->signatureAlgorithm = null;
         ApiUtils::signRequest($params, Configuration::instance()->cloud);
         $expected = '45ddaa4fa01f0c2826f32f669d2e4514faf275fe6df053f1a150e7beae58a3bd';
         self::assertEquals($expected, $params['signature']);
 
         $params = $initialParams;
-        Configuration::instance()->cloud->signatureAlgorithm = null;
+        Configuration::instance()->cloud->signatureAlgorithm = Utils::ALGO_SHA1;
         ApiUtils::signRequest($params, Configuration::instance()->cloud);
         $expectedSha1 = '14c00ba6d0dfdedbc86b316847d95b9e6cd46d94';
         self::assertEquals($expectedSha1, $params['signature']);
@@ -382,11 +382,11 @@ public function testApiSignRequestPreventsParameterSmuggling()
                             'Signatures should be different to prevent parameter smuggling');
 
         // Verify the expected signature for the properly encoded case
-        $expectedSignature = '4fdf465dd89451cc1ed8ec5b3e314e8a51695704';
+        $expectedSignature = '6c3d31a5b591c5afb8a37e31764171324de3f57421301e87503e5ceeabad0bbd';
         self::assertEquals($expectedSignature, $signatureWithAmpersand);
 
         // Verify the expected signature for the smuggled parameters case
-        $expectedSmuggledSignature = '7b4e3a539ff1fa6e6700c41b3a2ee77586a025f9';
+        $expectedSmuggledSignature = 'a764c945d130e8c894342711d373606cd39df91fe91dbc4559e778e0b47e7730';
         self::assertEquals($expectedSmuggledSignature, $signatureSmugggled);
     }
 
@@ -420,7 +420,7 @@ public function testConfiguredSignatureVersionIsApplied()
                             'Signature versions should produce different results');
 
         // Version 2 should match the expected encoded signature
-        $expectedV2Signature = '4fdf465dd89451cc1ed8ec5b3e314e8a51695704';
+        $expectedV2Signature = '6c3d31a5b591c5afb8a37e31764171324de3f57421301e87503e5ceeabad0bbd';
         self::assertEquals($expectedV2Signature, $signatureV2,
                           'Version 2 should match expected encoded signature');
     }