Serving resized S3 images on the fly

#6 Preventing request forgery

Secure requests against pesky hackers

Photo by Nahel Abdul Hadi on Unsplash

If you didn’t notice — this is part of a series

Preventing users from altering the request

Imagine a 20Mb large image on our AWS S3 bucket. A malicious user could grab the URL to the image and run the following script:

The effects of such action would be disastrous to the server. The thumbnails would keep generating until the server is dead or there’s no space left on the hard disk. We need to find a way to ensure that only certain customers will know how to generate the correct link.

Choosing protection method

Since the application requires unauthenticated access, this doesn’t leave us with too many options. Once we publish the URL to the thumbnail on the Internet, Google will cache it. The only way to make sure nobody has tampered with the request is to use the HMAC string directly in the URL.