1

I'm looking to use the presigned URL feature to allow users of my serverless application to upload images. After reading it sounds like the perfect solution but I have a question around security.

By using the presigned URL method, the upload happens client side rather than server side and my only concern with this is despite my app requiring authentication before an upload happens it doesn't prevent a user uploading a malicious file as they could bypass by client side checks to determine whether the file is an image or not.

Does anyone have any clarification on this matter?

Thanks!

Improve this question
0

1 Answer 1

Reset to default
1

Correct. If they can retrieve the pre-signed URL and bypass your client-side logic then they can upload whatever they like using that URL. If you can't completely control the client-side exposure then you can't trust client-side validation and you should implement rules server-side as well. You could use Lambda here, potentially.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.