[Answered ]-Secure browser-based S3 uploads: signed policy doc or presigned URL?

There is no meaningful difference from a security perspective.

Signed URLs work with PUT, while signed policy documents work with POST.

Both use signing algorithms that are computationally-infeasible to reverse-engineer.

Both allow you to limit the bucket and key that can be written/overwritten. POST is more flexible, allowing you to optionally permit (via policy) the target object key to match a prefix instead of an exact string, which is not likely to be something you’d want to do.

Both have an expiration mechanism.

Both are immune to tampering in the sense that it is not possible to modify the request in a way that allows an action other than the intended one (authorized by the signature) to be performed.

One possible minor advantage of POST uploads is that the policy document allows you to specify a valid size range for the upload. PUT requires either allowing any size or specifying the precise size in bytes by including the Content-Length header in the list of headers signed by the server, and this requires using Signature Version 4. (Older S3 regions also support Signature Version 2, which is less sophisticated but marginally easier to implement, but all regions support V4.)

Decide which one makes the most sense to you from a process/flow perspective, understand what it’s really doing under the hood, and there should be no security-related reason to favor one over the other.