any further resource that you have about signed urls and cookies. Obviously I can do my own research but if you have any resources on hand that would be much appreciated
The best place to get started is the official docs from the cloud provider you're using. Like from Google cloud CDN or AWS Cloudfront: cloud.google.com/cdn/docs/using-signed-urls, cloud.google.com/cdn/docs/using-signed-cookies docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-signed-urls.html docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-signed-cookies.html
@@hayk.simonyan Thanks for the video. What happens if malicious user fetches got hold of signed url and then request S3 to get the image? Wouldn't it see the image since server uses public key on its end to match the signature?
@@serendipity1328 if the signed URL has not expired they will be able to access the object because the signature is valid, regardless of how they got hold of the URL. But once the signed URL expires they will no longer be able to access the object, at that point they would need a new signed URL to access the object again. This is also where you can use it in combination with signed cookies to make sure only users with signed url and signed cookie can access the object
any further resource that you have about signed urls and cookies. Obviously I can do my own research but if you have any resources on hand that would be much appreciated
The best place to get started is the official docs from the cloud provider you're using.
Like from Google cloud CDN or AWS Cloudfront:
cloud.google.com/cdn/docs/using-signed-urls,
cloud.google.com/cdn/docs/using-signed-cookies
docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-signed-urls.html
docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-signed-cookies.html
@@hayk.simonyan thanks!!! I will keep that in mind going forward regarding documentation
@@hayk.simonyan Thanks for the video. What happens if malicious user fetches got hold of signed url and then request S3 to get the image? Wouldn't it see the image since server uses public key on its end to match the signature?
@@serendipity1328 if the signed URL has not expired they will be able to access the object because the signature is valid, regardless of how they got hold of the URL.
But once the signed URL expires they will no longer be able to access the object, at that point they would need a new signed URL to access the object again. This is also where you can use it in combination with signed cookies to make sure only users with signed url and signed cookie can access the object
@@hayk.simonyan Understood. Thanks for the reply