Using Shared Access Signature Uri in img tag for Azure Blob Storage

3
votes

We have uploaded images in Azure Blob Storage with public access and in our Asp.Net MVC application we have showed them in this syntax:

<img src="https://xxxxx.blob.core.windows.net/image.png"/>

However, this is a security leak.Becase unauthorized users can also access all the images from browser easly. That's why, we try to use Shared Access Signatures Url for our images. But i have some questions;

Should we generate this url for every request with for small expire time?, maybe user refresh same page for 5 times each time, we should generate different url each time, isn't this a performance issue?,

Or,

Should we generate this url for long expiration time?, but in this case, how can i refresh token after expiration time?, how can i understand token is not valid no more?, and with long expiration time, can unauthorized users still access images with this url?,

1
azureasp.net-mvc-5azure-blob-storage

1 Answers

4
votes

I would recommend going with 1st approach

Should we generate this url for every request with for small expire time?, maybe user refresh same page for 5 times each time, we should generate different url each time, isn't this a performance issue?

Here are my reasons:

  • Once an image is displayed in the browser when the page loads, I am assuming that you don't need to reload the image dynamically till the time user reloads the page thus the SAS URL has served its purpose.
  • Generating a SAS URL doesn't involve a network call to storage so it won't be performance intensive. However if there are 100s of images on the page and all of them are from the same blob container, then you could create a short-lived SAS token on the container with Read permission and attach that SAS token to each image URL instead of creating a SAS token for each and every image separately. That way you are creating SAS token just once for all the images on a page.