Signed URL is never expired about aws-cloudfront-sign HOT 3 OPEN

UPDATE:

For anyone signing URLs, I would strongly recommend the AWS SDK feature:
AWS.CloudFront.Signer

Please note that this is the JavaScript SDK, if you're not using javascript you can look up the equivalent SDK for you.

from aws-cloudfront-sign.

I'm having the same issue. Did someone figured this out?

from aws-cloudfront-sign.

I believe this issue happens due to caching on the browser. So when I access for the first time a signed URL, within the expiration time interval, it downloads the JSON file (as expected in my case), and no matter how much time passes I'm still able to download the file through that signed URL WHILE using the same browser window. But when I try to use the same URL on another device (or incognito window) it denies the request if the URL is expired, however, if the URL is still valid it returns the JSON file as expected.

So, for me, the bottom line is: Signed URLs are working just fine, the access to URL content is only possible if you first opened the URL before it expired or if you have accessed the content while the URL was still valid and the content of the URL has been cached on your browser in which case you would be able to access the content as long as it is cached in your browser. So it seems to me that an attacker wouldn't be able to flood my server with requests (which was my primary concern), since the URL content wouldn't be available after the URL expires. An attacker would only be requesting content from its own browser cache if there's any, otherwise, CloudFront would deny the request as expected.

Also, worth noting that anyone signing URLs served from AWS S3 origin should strongly consider blocking access to S3 URLs, otherwise no matter if your CloudFront URLs are signed, if someone is able to figure out your S3 Bucket URL they would have free access to the content anyways. You can checkout proper instructions on how to do that in this section of CloudFront docs.

Another important issue is that if you are signing URLs on-demand, which means that a user with access to a given page would get a signed URL (on click, on page load, or on any other interaction - after all, you have to provide the user with the signed URL somehow), you are vulnerable to an attacker with access to that page/route, meaning that anyone with proper access to that page would be able to generate an "infinity" number of signed URLs. And that is important because two signed URLs that have been signed at different moments, even though pointing to the same resource on your origin (eg.: S3 bucket object), are different from each other. So each signed URL is a different request to CloudFront, therefore flooding your CloudFront with requests is now possible (each request increases your AWS bill - remember that CloudFront charges you through requests and transferred-out data). The way I deal with it is through rate limiters, limiting the number of requests the client can make to my server requesting a signed URL. Here's the npm package for simplifying the implementation. It's simple and effective, however, you may have a specific case in which limiting through IP Addresses isn't a good idea, so you might want to check out the signed cookies instead, here's the section on CloudFront docs regarding it.

TL;DR - ¹You are able to reuse a CloudFront signed URL after its expirations because of browser caching. The expired URL won't work on incognito windows or different devices/browsers. ²You should restrict access to S3 buckets through origin access identity if you are using CloudFront signed URLs. ³If users can request signed URLs on-demand (clicking on something or reloading the page) you should implement rate-limiting so attackers with user-access can't flood your servers.

Anyone thinks differently? I would appreciate corrections since I'm applying these ideas in my application.

from aws-cloudfront-sign.