Your decryption/encryption secret (key) is stored on the server side only and if a client requests a thumbnail, you can validate the URL value by successfully decrypting it with this secret and probably do a simple HTTP URL validation check of the decrypted value.
And you have to encrypt all thumbnail URLs with this secret before passing them to the client.
No comments yet.