What’s the correct CORS configuration for allowing direct uploads in S3 ?

Any website should be able to show the images (GET), but files should only be uploadable from

Here's what I'm thinking:

CORS security is implemented in browsers. And not something on the origin. If you setup your S3 bucket to allow public uploads, even if that's from using CORS, anybody can upload anything to your S3 bucket outside of a browser, by issuing direct POST/PUT calls.

Thanks, that's a fair point. That said, it still seems wise to specify the origin within the CORS configuration so unknowing users (using regular browsers) can't be tricked into uploading to my S3 bucket. I guess that's the point of the origin being configurable by S3?

I am not sure what use cases are there that require public uploads to be honest except running an image hosting site.

Also pretty sure nobody would try to trick uploading the user to upload something to your s3 bucket. But instead upload something themselves and then distribute it.

What you need to do is create a single-use policy, something like explained here -…

Ah yes, I already generate a policy so only signed in users can upload files to our S3 buckets. And files that aren't attached to a saved database entry (e.g. a comment) are automatically pruned.

So I think things are pretty safe as is. Just wondering if there are any best practices otherwise.