HTTP referer on AWS S3

If you store files on AWS S3 to be referenced by your public website, you might want to prevent the link to be used by other websites or just to be shared without going first to your web page. Thus generating traffic cost on your AWS account without visiting your web page.

Setting up an HTTP referer policy (notice the misspelling) can help you achieve that. Not to be confused with CORS mechanism.

This is by no means a security feature as it’s very easy to bypass. An easy way for instance is to install a referer modifier browser extension. Do not confuse with extensions that suppress the http referer header for privacy reason or to prevent leaking private site addresses to destination linked website.

In my case, I store videos on S3 since it’s very fast, and it saves upload bandwidth on my internet connexion.

Set up

1. Set a policy on the S3 bucket

You’ll find several examples on internet. You can also check AWS documentation : Restricting Access to a Specific HTTP Referer

2. Restrict public access

Just check the
Block public access to buckets and objects granted through any access control lists (ACLs)
and make sure you do not block access point policies (the 2 last options in the screenshot).

3. File permissions

If you had the “Everyone (public access)” on the file it will be removed automatically, and you can’t add it as long as the “Block public access to buckets and objects granted through any access control lists (ACLs)” is checked.

Test by yourself

You can test by using the small video on the post.

You can also access it by clicking on the link :
https://s3.eu-central-1.amazonaws.com/pivert.org/january_the_first.mp4
This will work because you’re coming from pivert.org website, to the HTTP referer header of www.pivert.org will be added by your web browser.

But if you take the same link, and you paste it into a new browser window, it will be blocked with an AccessDeniedAccess error.

Leave a Reply

Your email address will not be published. Required fields are marked *