CASE 101 · VELLICHOR · 2023
Paywalled content that doesn’t leak through scraping.
A digital publishing platform was losing measurable subscription value to scraping. Their CloudFront distribution served paywalled PDFs over public URLs; the subscriber check happened on the page, not on the asset. We retrofitted CloudFront Signed URLs across the asset surface without breaking legitimate flows.
Digital publishing
SECURITY
2023
RESULTS
What changed, by the numbers.
SCRAPED ASSETS
−98%
URL TTL
5m
LEGITIMATE-FLOW IMPACT
0
SUBSCRIPTION RETENTION
+11%
HOW IT WENT
The leak was straightforward: a subscriber would share a PDF URL, the URL was permanent, scrapers picked it up, the article showed up on aggregator sites. The publisher had been considering more aggressive paywall walls; the real fix was the asset URLs themselves.
CloudFront Signed URLs with a 5-minute TTL, generated by a Lambda@Edge function that verified the subscriber’s Cognito session against the asset they were requesting. Asset URLs in the page rendered server-side, signed for the requesting user, and expired before they could be useful to anyone else.
Scraped asset retrieval dropped 98% year-over-year. Legitimate user experience didn’t change (the signed URLs are invisible to subscribers reading articles). Subscription retention improved 11% in the quarter post-launch — measurable confirmation that the leak had been costing real money.
RELATED · SAME DOMAIN
Other engagements in this space.
READY WHEN YOU ARE
Let's get your AWS bill (and architecture) in order.
The discovery call is free. You walk away with at least one concrete idea — even if we never work together.