Audience question: on-the-fly processing is nice because it doesn't load the server upfront, but seems prone to DDoS — an attacker can request many variants of the same uploaded file and hog the server. How to defend? Answer: sign the URL with a server-only secret so only the server can generate valid URLs; CDN caching absorbs legitimate traffic and attackers can't generate new signed URLs.