To defend against attackers requesting many variants of the same file to overload on-the-fly processing, the server signs derivative URLs with a secret only it knows. Only server-generated URLs validate, and they will typically be cached in the CDN, so attackers cannot generate additional valid URLs.