This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

How secure is Signed URL with Apigee, if URL get leaked to third person

Posted on 02-09-2024 04:49 AM
Ashishkumar2
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

I am looking to integrate an API with Apigee which will be uploading files to GCP Cloud storage. The solution I am leaning towards is using Signed URL. But I have a concern on what if, the Signed URL get leaked. Once the URL has been signed, anyone in possession of it will have access to the object, to either GET or PUT a file, depending on what you've specified in the signing process.

Even with the expiration time, the URL will be accessible by anyone who holds the URL.

Is there any way to prevent that?

Solved Solved
2 2 167
Topic Labels
Jump to Solution
2 ACCEPTED SOLUTIONS

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

what if, the Signed URL get leaked. Once the URL has been signed, anyone in possession of it will have access to the object, to either GET or PUT a file, depending on what you've specified in the signing process.

A SignedURL is a secret. You do not want it to leak. The way to mitigate the risk is to reduce the validity time for the signedURL. you can make it valid for 10 seconds, or 3 minutes, etc, to radically shrink the window of vulnerability.  But the first line of defense is: don't let the URL leak !  Which means only use TLS for transmitting it. And then take steps in the receiving app to insure it is less likely to leak.  don't store it persistently. Don't share it around, etc.

View solution in original post

Jump to Solution

Posted on --/--/---- --:-- AM
Ashishkumar2
Bronze 1
Bronze 1
In response to dchiesa1
Reply posted on --/--/---- --:-- AM

Can we create cert based Singed URL? If Yes, how?

View solution in original post

Jump to Solution
2 REPLIES 2

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

what if, the Signed URL get leaked. Once the URL has been signed, anyone in possession of it will have access to the object, to either GET or PUT a file, depending on what you've specified in the signing process.

A SignedURL is a secret. You do not want it to leak. The way to mitigate the risk is to reduce the validity time for the signedURL. you can make it valid for 10 seconds, or 3 minutes, etc, to radically shrink the window of vulnerability.  But the first line of defense is: don't let the URL leak !  Which means only use TLS for transmitting it. And then take steps in the receiving app to insure it is less likely to leak.  don't store it persistently. Don't share it around, etc.

Jump to Solution

Posted on --/--/---- --:-- AM
Ashishkumar2
Bronze 1
Bronze 1
In response to dchiesa1
Reply posted on --/--/---- --:-- AM

Can we create cert based Singed URL? If Yes, how?

Jump to Solution