diff --git a/CHANGELOG.md b/CHANGELOG.md
index 57da27b..066472f 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,11 @@
+3.16.0
+======
+
+* (feature) Add `AssetProxyUrlGenerator` to rewrite asset URLs.
+* (feature) Sign asset proxy URLs for more secure proxying.
+
+
+
 3.15.0
 ======
 
diff --git a/composer.json b/composer.json
index ac5d48f..43e6101 100644
--- a/composer.json
+++ b/composer.json
@@ -16,10 +16,20 @@
 		"21torr/hosting": "^3.2 || ^4.0",
 		"psr/log": "^3.0",
 		"sebastian/diff": "^4.0.4 || ^5.0",
+		"symfony/config": "^7.1",
 		"symfony/console": "^7.1",
+		"symfony/dependency-injection": "^7.1",
+		"symfony/event-dispatcher": "^7.1",
+		"symfony/filesystem": "^7.1",
+		"symfony/finder": "^7.1",
+		"symfony/framework-bundle": "^7.1",
 		"symfony/http-client": "^7.1",
+		"symfony/http-foundation": "^7.1",
+		"symfony/http-kernel": "^7.1",
 		"symfony/lock": "^7.1",
 		"symfony/rate-limiter": "^7.1",
+		"symfony/routing": "^7.1",
+		"symfony/service-contracts": "^3.5",
 		"symfony/string": "^7.1",
 		"symfony/validator": "^7.1",
 		"ueberdosis/tiptap-php": "^1.3"
@@ -69,4 +79,4 @@
 			"vendor-bin/phpstan/vendor/bin/phpstan analyze -c phpstan.neon . --ansi -v"
 		]
 	}
-}
\ No newline at end of file
+}
diff --git a/src/Assets/Controller/AssetProxyController.php b/src/Assets/Controller/AssetProxyController.php
index 42b728f..07cdb0b 100644
--- a/src/Assets/Controller/AssetProxyController.php
+++ b/src/Assets/Controller/AssetProxyController.php
@@ -7,6 +7,7 @@
 use Symfony\Component\HttpFoundation\Response;
 use Symfony\Component\HttpFoundation\ResponseHeaderBag;
 use Torr\Storyblok\Assets\Proxy\AssetProxy;
+use Torr\Storyblok\Assets\Url\AssetProxyUrlGenerator;
 
 /**
  * @final
@@ -15,10 +16,16 @@ class AssetProxyController extends AbstractController
 {
 	public function proxyAsset (
 		AssetProxy $assetProxy,
+		AssetProxyUrlGenerator $proxyUrlGenerator,
 		Request $request,
 		string $path,
 	) : Response
 	{
+		if (!$proxyUrlGenerator->verifyProxyUrlRequest($request))
+		{
+			throw $this->createNotFoundException("Invalid request");
+		}
+
 		// check for valid URLs
 		if (!preg_match('~^\d*x\d*\/\w+\/[^\/]+$~D', $path))
 		{
diff --git a/src/Assets/Url/AssetProxyUrlGenerator.php b/src/Assets/Url/AssetProxyUrlGenerator.php
new file mode 100644
index 0000000..ae34207
--- /dev/null
+++ b/src/Assets/Url/AssetProxyUrlGenerator.php
@@ -0,0 +1,45 @@
+<?php declare(strict_types=1);
+
+namespace Torr\Storyblok\Assets\Url;
+
+use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\HttpFoundation\UriSigner;
+use Symfony\Component\Routing\Generator\UrlGeneratorInterface;
+
+/**
+ * @final
+ */
+readonly class AssetProxyUrlGenerator
+{
+	/**
+	 */
+	public function __construct (
+		private UrlGeneratorInterface $urlGenerator,
+		private UriSigner $uriSigner,
+	) {}
+
+	/**
+	 * Rewrites a Storyblok asset URL to a proxied one
+	 */
+	public function rewriteAssetUrl (string $storyblokUrl) : string
+	{
+		// if it's not a storyblok URL, just return
+		if (!preg_match('~^https://a.storyblok.com/f/\d+/(?P<path>.+)$~D', $storyblokUrl, $matches))
+		{
+			return $storyblokUrl;
+		}
+
+		$url = $this->urlGenerator->generate("storyblok.asset-proxy", [
+			"path" => $matches['path'],
+		], UrlGeneratorInterface::ABSOLUTE_URL);
+
+		return $this->uriSigner->sign($url, null);
+	}
+
+	/**
+	 */
+	public function verifyProxyUrlRequest (Request $request) : bool
+	{
+		return $this->uriSigner->checkRequest($request);
+	}
+}