We're a group of makers shipping together. We help each other stay accountable and reach our goals.
Apply for access
Ashish Kumar (Ashfame) 🐲
@Ashfame
Cyberpunk @ Woodpckr.com | Building AirGapped Crypto Vault live on stream
I am not sure what use cases are there that require public uploads to be honest except running an image hosting site.
Also pretty sure nobody would try to trick uploading the user to upload something to your s3 bucket. But instead upload something themselves and then distribute it.
What you need to do is create a single-use policy, something like explained here - stackoverflow.com/a/18901867/…
Ah yes, I already generate a policy so only signed in users can upload files to our S3 buckets. And files that aren't attached to a saved database entry (e.g. a comment) are automatically pruned.
So I think things are pretty safe as is. Just wondering if there are any best practices otherwise.
Something that I am currently feeling the need to build myself:
- Reminds me to drink water + measure my daily intake
- Reminds me to take my pills (I often forget how many doses I have taken today)
- Reminds me to take my eyes off from screen
CORS security is implemented in browsers. And not something on the origin. If you setup your S3 bucket to allow public uploads, even if that's from WIP.chat using CORS, anybody can upload anything to your S3 bucket outside of a browser, by issuing direct POST/PUT calls.
Thanks, that's a fair point. That said, it still seems wise to specify the origin within the CORS configuration so unknowing users (using regular browsers) can't be tricked into uploading to my S3 bucket. I guess that's the point of the origin being configurable by S3?
I am not sure what use cases are there that require public uploads to be honest except running an image hosting site.
Also pretty sure nobody would try to trick uploading the user to upload something to your s3 bucket. But instead upload something themselves and then distribute it.
What you need to do is create a single-use policy, something like explained here - stackoverflow.com/a/18901867/…
Ah yes, I already generate a policy so only signed in users can upload files to our S3 buckets. And files that aren't attached to a saved database entry (e.g. a comment) are automatically pruned.
So I think things are pretty safe as is. Just wondering if there are any best practices otherwise.
Understanding pain points (problem) and then talking to them about solving that problem and its worth to them.
Ask them if they can pre-pay (with additional incentive of course).
And then building it rather than trying to build first and then trying to sell it.
I use Custom hotkeys to change screens on the fly. So if I am looking at something that shouldn't be shown, I hide my screen temporarily.
And when its about using that sensitive bit in code, put that into a flat file somewhere and just read from it in code while you work on it on-stream. Easy fix! :)