2👍
There is no meaningful difference from a security perspective.
Signed URLs work with PUT
, while signed policy documents work with POST
.
Both use signing algorithms that are computationally-infeasible to reverse-engineer.
Both allow you to limit the bucket and key that can be written/overwritten. POST
is more flexible, allowing you to optionally permit (via policy) the target object key to match a prefix instead of an exact string, which is not likely to be something you’d want to do.
Both have an expiration mechanism.
Both are immune to tampering in the sense that it is not possible to modify the request in a way that allows an action other than the intended one (authorized by the signature) to be performed.
One possible minor advantage of POST
uploads is that the policy document allows you to specify a valid size range for the upload. PUT
requires either allowing any size or specifying the precise size in bytes by including the Content-Length
header in the list of headers signed by the server, and this requires using Signature Version 4. (Older S3 regions also support Signature Version 2, which is less sophisticated but marginally easier to implement, but all regions support V4.)
Decide which one makes the most sense to you from a process/flow perspective, understand what it’s really doing under the hood, and there should be no security-related reason to favor one over the other.
0👍
Don’t reinvent the wheel. Consider using a library like fineuploader which is now free and has a nice example on the django side ( the code that signs the URL for the library to upload directly to S3 ). The library has lots of good features including chunking the file into small portions. I have used this to successfully load very large video files (16GB+).
(Apologize if this is not a direct answer to the OP but may make the answer less important)
- [Answered ]-Celery .env variables not used in settings.py
- [Answered ]-Json recognised as String
- [Answered ]-Second Django Logout Does Not Work
- [Answered ]-Django bootstrap to have both call a view and modal in same anchor tag
- [Answered ]-Passing data to bootstrap modal Django template