URL Signing

URL Signing is a method of ensuring that a request cannot be tampered with. It is highly recommended to require signed URLs if exposing Konifer publicly to prevent denial-of-service attacks.

Currently URL signing is only utilized when fetching assets. URL signatures cannot be used for storing, deleting, or updating an asset.

Supported Signing Algorithms

3 HMAC signing algorithms are supported:

hmac_sha256 (default)
hmac_sha384
hmac_sha512

Configuration

To enable URL signing, configure your secret and your algorithm in konifer.conf.

url-signing {
  enabled = true
  algorithm = hmac_sha512

  # Can also use URL_SIGNING_SECRET_KEY environment variable
  secret-key = secret
}

Usage

To sign a request, the entire path, including query selectors and query parameters must be included in the signature payload.

warning

Query parameters must be sorted alphabetically by parameter key in the signature payload.

Include the signature as an s query parameter in your payload.

GET /assets/users/123/profile?h=300&blur=20&format=webp&s=f7bc83f430538424b13298e6aa6fb143ef4d59a14946175997479dbc2d1a3cd8

If URL-signing is enabled, then all requests missing a signature returns a 403 Forbidden. Invalid signatures also return a 403.

Supported Signing Algorithms​

Configuration​

Usage​

Supported Signing Algorithms

Configuration

Usage