Signing pagespeed resource URLs

Note: New feature as of 1.9.32.1

PageSpeed can be set to automatically cryptographically sign and verify resource URLs. Turning on resource signing will cause any resource requested without the proper signature to return 404 Not Found or 403 Forbidden depending upon the InPlaceResourceOptimization setting. This option can be used to reduce the attack surface for denial of service attacks.

pagespeed UrlSigningKey signature_key_string

Resource signing can also be turned on, but not enforced, which may be used for the transition period of moving a site from unsigned resourced to signed resources. In this mode, signed URLs are generated and accepted, as well as URLs with no signature and URLs with invalid signatures.

pagespeed AcceptInvalidSignatures true

This directive can be used at the server level.