I have been developing a website where people can buy digital products and then download them after the payment. I am using MERN stack and thinking of using AWS S3 for storing the digital products.
I am quite worried about implementing the security. I want to make sure that nobody can find an evil way to download files unless they purchased the product.
Not only about AWS S3 but anything you can suggest is appreciated.
I am not really an experienced guy on this industry since I am a mechanical engineer. So, I appreciate even a single bit of your suggestions.
You should use Amazon S3 pre-signed URLs.
It works like this:
All files in Amazon S3 remain private
Users interact with your website and purchase the software
Your website then generates a pre-signed URL, which is a time-limited link to a private object stored in Amazon S3
Users can click that link to download the file. After the expiry period (which you can set), the link will no longer work.
Yes, they could share that link with other people, but it would only work for the stated time period (eg 5 minutes).
The signed URL only takes a couple of lines of code to generate. It can be generated within your app, without having to make an API call to S3.
Related
I am developing a web app kind of like canva so I have design images I need to store. Is the best way to store them on s3 just to manually upload each design, make the bucket public, and input the url to each image in my web app?
I ask this question because
I don't know if just making the bucket public is standard practice.
Since the user will be repeatedly loading the main page with all the designs, the images will be constantly reloading. That's why I say repeatedly in the title. Is there a way to better handle the images so it doesn't constantly request?
What I've tried- I've looked at the documentation, but honestly I do not like the AWS documentation. In my opinion it doesn't give clear answers to questions like these. I've looked for other stack overflow questions, and I could not find a lot clearly discussing this either.
Let me know if I'm not being clear on anything. Obviously I am not well versed in image storage or anything in that realm so any advice would be greatly appreciated.
Its fine to make such buckets public with permissions like u can add domain specific permission and keep it public.
If you directly serving from S3, at some point it will cost u more. Provision cloudfront with S3 to serve images. AWS already provides image handler, you can find in cloud formation templates
Is anyone using a cloud to provide access to their RETS MLS images so that the pubic can access at will w/o password? I currently have the images storing on my server for direct public access through my website, however need lots more space and just not sure about how to get the images to the web and make them available to view through my website. I download them each 15 min from the RETS server and store them on my server. So, what I need is the procedure to convert this storage to a cloud, knowing there may be some password requirements to access the cloud.
We are using Azure Storage (https://learn.microsoft.com/en-us/azure/storage/) to cache all of the images for one of our products. We sort of "lazy load" the images in there. If a request is made for an image, we pull it from our cloud storage (where the image is made public) and stream it from there much faster than over RETS media request. If we ever have to make an on demand request from a RETS server for the image we immediately cache it. We'll also pre-fetch images for slower MLS's. Images have been a severe performance impact on working with RETS systems for us.
This also lets us do some cool stuff like resizing the image on the fly pretty quickly too for our customers so they don't have to waste bandwidth downloading full size images if that's not what they want.
Here is a link to our open source SDK on how our customers end up using the image service.
https://github.com/timitek/getrets-php-sdk#imageurl
Amazon S3 Buckets is a better solution. We have around 18 TB of data in it. And also like you said " each image needs it own directory", we have millions of directories for 400+ MLSs.
Everything works fine and there is no delay as well. Its scalable too.
Note: We are getting binary raw data for MLS images and that we are directly writing to S3 and making the image urls.
I am attempting to serve paid videos to the users of my website, which is using php and is hosted on AWS.
I was wondering if:
1) anyone has successfully managed to serve video content through CloudFront securely? No matter what I try, FlashDownloadPlayer has managed to download the video.
2) will the video I upload automatically play in all devices/platforms regardless of input raw file I use ? I wasn't able to confirm this through AWS documentation.
Regardless, any ideas to make video downloading extremely difficult (atleast not through flashDownloadPlayer) would really be appreciated.
My videos are stored in AWS S3.
Thanks!
Yes you can do this through Cloudfront and have it be just as fast as Youtube, with a CDN on a similar scale as Google. The difference being you can make Cloudfront private and encrypted as you mention. For example, we host dozens of confidential online videos behind our business Intranet and Extranet site. Obviously the site is password protected, and the videos needed to be private. Cloudfront let's you encrypt the video and embed inside a video player such as JWPlayer. This was the only way we could pass our security audit, while still serving massive video content and have it be fast. It sounds quite involved, but we followed a great guide in this tutorial and got this going in a few hours. Very straight forward.
https://centroy.com/blog/secure-video-alternative-to-youtube
I have videos containing educational content. I'd like to distribute these videos using S3 and my DNN site. I've created my s3 bucket with all the videos.
I'd like users to be able to log in and be able to download the videos that they have paid for.
Also, i'd like to prevent users from sharing video urls(hotlinking).
I've looked into private distributions but it seems a little complicated as far as signed urls.
Ideally, I'd have some kind of a policy on cloudfront that would only allow videos to be download from my own domain.(i remember doing something like this with s3 itself where i would add a custom acl that would specify the httpreferrer)
Thanks for your help, my head was about to explode due to information overload.
Cristian
The ideal would be to use a plugin that generates the expiring URLs for you.
If you are on Joomla or Wordpress, you may want to look into S3Media Stream.
Just google it and you will find it quite easily.
I hope this helps?
I'm starting a blog and i'm in the process of choosing where should i host it. For now i want a free solution like Blogger or Wordpress.com.
The problem i'm facing is that i want to use files i have in a S3 bucket in my blog but none of the blog solutions i found supports any kind of server code, which means that in order to use S3 query string authentication i would have to put vulnerable information in the client. For obvious reasons i don't want to do that.
So, i'm looking for ideas on how i can safely include content from S3 in a free blog host.
Im not aware of any blog software that by default supports Amazon S3. So your best shot is to get a cheap hosting (hosting is really cheap these days, a few dollars a month). Then you can install a plugin which supports Amazon S3.
I think we might need a bit more detail here. For example, if you just want to link to files on S3 from your blog, you can make the files globally readable on S3 and then just link to them, with no authentication necessary.
If you want to do something more complex, maybe look into hosting WordPress yourself using WordPress.org, at which point you can use server-side code yourself, perhaps as a plugin. Or, maybe there's an existing plugin that works with WordPress that would suit you -- there's definitely a plug-in which copies WordPress file uploads to S3 and then serves them from there, rather than from your blog host, for example. It's not free a free solution, but hosting starts pretty cheap.
For fairly obvious reasons of security, there aren't any blog service providers I can think of who provide server-side code access.