Is it safe to access/update Azure Blob storage from browser using SAS token?

Question

I am trying to upload files from Javascript to Azure blob storage using SAS token. SAS token has permission to Create/Delete/update the blob. Is it safe to share SAS token with all these permissions by giving it an expiry time?

Or instead of exposing the token to user, I should create an API to upload the file and let javascript call that API(.NET application) which will upload the file to blob storage. In this way, I'll be having performance issues as my file size can be of 10MB max.

What is the best way for this?

rickvdbosch rickvdbosch · Accepted Answer · 2019-01-08T08:57:43

Shared access signatures are useful for providing limited permissions to your storage account to clients that should not have the account key.

If you are the one writing data to the storage account, do so server side. Of course, you could have your front-end request a SAS token from the back-end. And the SAS token could use near-term expiration times. In the end, you're still opening up parts of the storage account to anyone who can access the frontend.

With near-term expiration, even if a SAS is compromised, it's valid only for a short time. This practice is especially important if you cannot reference a stored access policy. Near-term expiration times also limit the amount of data that can be written to a blob by limiting the time available to upload to it

Source: Using shared access signatures (SAS)

If you have issues with the size of the file to upload, have a look at doing a chunked upload. Depending on the type of frontend you're building, there are lots of solutions for chunked uploading, like ngx-uploadx for Angular.

Is it safe to access/update Azure Blob storage from browser using SAS token?

3 Answers