What is a Signed URL?
A signed URL temporarily provides access to a resource. Signed URLs contain user/authentication information in their query string, allowing users without credentials to perform specific actions on a resource. You can add more information in the query string and these values cannot be changed on the client-side.
Signed URL basic workflow:
- Create the URL you want to sign. Mostly the URL will be in the below format.
Sign the query parameters with a secret key using the HMACSHA256 hashing algorithm and you will get a hash code in this process.
Append the hash code in your URL like below,
When you receive the request in the server with a signature, you need to do the same hashing with the same secret on the request URL query parameters without the signature in the query parameter.
Compare the output hash code with the hash code that you get in the request query parameter.
You will get a different hash code if the URL is altered on the client side.
How to sign a URL? (C#)
Here is the code snippet to sign the URL in C#. The sign URL method requires a message and a secret code to generate the hash code.
We should add some additional query parameters for security and for URL expiration.
nonce - It's a random string to prevent the replay attack.
timestamp - It helps you to calculate the URL expiry. It's advisable to use a UNIX timestamp to avoid confusion in the date format.
expirationtime - The lifespan of the URL.
How to verify the Signed URL?
Here is the code snippet to verify the signed URL,
The above snippet has only the signature validation and it validates only whether the URL query parameter is altered or not.
To check the URL expiry, you could use the parameters (expirationTime, timeStamp) that we have added.