Skip to content
loading...

AWS Keys exposed on URL from photos on my heroku site

highcenburg profile image Vicente G. Reyes twitter logo github logo ・1 min read

I have 2 Django sites deployed on Heroku and I noticed that AWSAccessKeyId and Signature is exposed on both site's photo URL when I open the image on a new tab.

I don't think this is normal since I know those keys should be kept on the environment.

twitter logo DISCUSS (5)
Discussion
markdown guide
 

I'm not an expert but I think what you are seeing are signed links: docs.aws.amazon.com/AmazonS3/lates...

Basically that signature is derived from your AWS Secret Key and the path being requested and stuff like that. This proves to AWS that you have access to the file, WITHOUT actually revealing your AWS Secret Key!

So definitely double check me, but i think that might be what you are seeing!

 

I think it is what I see. But if I'm not mistaken, I don't think the keys & signature should be exposed in the URL.

I'll take a look at the link.

Thanks, Corey!

 

Here's another link about signed links as query params, which I believe is what you have! docs.aws.amazon.com/AmazonS3/lates...

In general I think only your AWS Secret Key is private and can't be shared. Since the signature here is a single use token derived from it, it's ok!

Whew. I'm relieved. But I'll still look into hiding those on the URL if they're possible. Thanks again, Corey!

Classic DEV Post from Aug 13 '19

How open-source will Tumblr become?

In case you hadn't read the news, Verizon sold Tumblr to Automattic. Verizon owned Tumblr after it ac...

Vicente G. Reyes profile image
A Self-Directed Learner, a Freelance Web Developer, a Volunteer Developer at Project Website, & DEV Tag-Moderator, one of the brains of The Underwearkers on Facebook & a podcast host.