Django Security: Harnessing the Power of Signed URLs and Cookies

Introduction

When developing an application with crucial media, we can not share it openly in public. We need something that can resist users from misusing our media. For example, while developing a learning courses website/application. There will be so many images and video tutorials that as a developer we want to keep it secure. In this case, we are going to learn Signed URLs which have several advantages and will protect our media.

Prerequisites

We are going to use Django as our backend and will be developing APIs with the help of the Django rest framework. And for storing our media files will be using AWS S3 buckets. If you already have a basic understanding of Django and AWS. This will be easy for you to understand.

Methods

I am going to show you two ways to secure media files.

1. Signed URLs
2. Signed Cookies

Signed URLs

A signed URL is an URL that you can provide to your user to grant temporary access to a specific S3 object. A signed URL includes additional information, for example, expiration date and time, that gives you more control over access to your content. The URL needs to have some specific parameters like

Expires: The time that you want the URL to stop allowing access to the file.
Signature: The hashed and signed version of the policy statement.
Key-Pair-Id: Public key ID for the CloudFront public key whose corresponding private key you’re using to generate the signature.

How Signed URL Work?

Here’s an overview of how you configure CloudFront and Amazon S3 for signed URLs and how CloudFront responds when a user uses a signed URL to request a file.

➡️ In your CloudFront distribution, specify one or more trusted key groups, which contain the public keys that CloudFront can use to verify the URL signature. You use the corresponding private keys to sign the URLs.

➡️ Develop your application to determine whether a user should have access to your content and create signed URLs for the files or parts of your application that you want to restrict access to.

➡️ A user requests a file for which you want to require signed URLs.

➡️ Your application verifies that the user is entitled to access the file: they’ve signed in, they’ve paid for access to the content, or they’ve met some other requirement for access.

➡️ Your application creates and returns a signed URL to the user.

➡️ The signed URL allows the user to download or stream the content.

➡️ This step is automatic; the user usually doesn’t have to do anything additional to access the content. For example, if a user is accessing your content in a web browser, your application returns the signed URL to the browser. The browser immediately uses the signed URL to access the file in the CloudFront edge cache without any intervention from the user.

➡️ CloudFront uses the public key to validate the signature and confirm that the URL hasn’t been tampered with. If the signature is invalid, the request is rejected. If the signature is valid, CloudFront looks at the policy statement in the URL (or constructs one if you’re using a canned policy) to confirm that the request is still valid.

For example, if you specified a beginning and ending date and time for the URL, CloudFront confirms that the user is trying to access your content during the time period that you want to allow access. If the request meets the requirements in the policy statement, CloudFront does the standard operations: determines whether the file is already in the edge cache, forwards the request to the origin if necessary, and returns the file to the user.

Signed URL Implementation

Follow the below steps:

➡️ Create an S3 bucket on AWS and make it private for all public use except CloudFront.

➡️ Create Cloudfront for your bucket.

➡️ Create Django Project and do the necessary steps to make one API for getting one URL from the S3 bucket.

➡️ Now if you have the URL of a file stored in an S3 bucket and we wanted to convert this direct URL into a Signed URL by which we can access the file. Just need to add this code.

import os
from datetime import datetime, timedelta
from botocore.signers import CloudFrontSigner
from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives import serialization
from cryptography.hazmat.primitives.asymmetric import padding


def rsa_signer(message):
key_data = os.getenv("CF_PEM_FILE").replace("\\n", "\n").encode()
private_key = serialization.load_pem_private_key(
key_data,
password=None,
backend=default_backend()
)
return private_key.sign(message, padding.PKCS1v15(), hashes.SHA1())





def get_pre_signed_url(url):
if url:
key_id = os.getenv("CF_KEY_PAIR")
expire_date = datetime.now() + timedelta(minutes=5)

cloud_front_signer = CloudFrontSigner(key_id, rsa_signer)

# Create a signed url that will be valid until the specific expiry date
# provided using a canned policy.
# noinspection PyTypeChecker
signed_url = cloud_front_signer.generate_presigned_url(url, date_less_than=expire_date)
return signed_url
return None

Explanation, rsa_signer method generates private for you from the Private key file. And get_pre_signed_url takes one argument URL, which is an S3 bucket URL, and will return the Signed URL.

Now,

CF_PEM_FILE

and

CF_KEY_PAIR

are the private pem file and key pair, which can get from AWS CloudFront.

Signed Cookies

CloudFront signed cookies allow you to control who can access your content when you don’t want to change your current URLs or when you want to provide access to multiple restricted files, for example, all of the files in the subscribers’ area of a website. This topic explains the considerations when using signed cookies and describes how to set signed cookies using canned and custom policies.

How Signed Cookies Work?

Here’s an overview of how you configure CloudFront for signed cookies and how CloudFront responds when a user submits a request that contains a signed cookie.

➡️ In your CloudFront distribution, specify one or more trusted key groups, which contain the public keys that CloudFront can use to verify the URL signature. You use the corresponding private keys to sign the URLs.

➡️ You develop your application to determine whether a user should have access to your content and, if so, to send three Set-Cookie headers to the viewer. (Each Set-Cookie header can contain only one name-value pair, and a CloudFront signed cookie requires three name-value pairs.) You must send the Set-Cookie headers to the viewer before the viewer requests your private content. If you set a short expiration time on the cookie, you might also want to send three more Set-Cookie headers in response to subsequent requests, so that the user continues to have access.

Typically, your CloudFront distribution will have at least two cache behaviours, one that doesn’t require authentication and one that does. The error page for the secure portion of the site includes a redirector or a link to a login page.
If you configure your distribution to cache files based on cookies, CloudFront doesn’t cache separate files based on the attributes in signed cookies.

➡️ A user signs in to your website and either pays for content or meets some other requirement for access.

➡️ Your application returns the Set-Cookie headers in the response, and the viewer stores the name-value pairs.

➡️ The user requests a file.

➡️ The user’s browser or other viewer gets the name-value pairs from step 4 and adds them to the request in a Cookie header. This is the signed cookie.

➡️ CloudFront uses the public key to validate the signature in the signed cookie and to confirm that the cookie hasn’t been tampered with. If the signature is invalid, the request is rejected.

If the signature in the cookie is valid, CloudFront looks at the policy statement in the cookie (or constructs one if you’re using a canned policy) to confirm that the request is still valid. For example, if you specified a beginning and ending date and time for the cookie, CloudFront confirms that the user is trying to access your content during the time period that you want to allow access.

If the request meets the requirements in the policy statement, CloudFront serves your content as it does for content that isn’t restricted: it determines whether the file is already in the edge cache, forwards the request to the origin if necessary, and returns the file to the user.

Signed URL Implementation

You can use the same Bucket and CloudFront as above or make a new setup by following the below steps:

➡️ Create an S3 bucket on AWS and make it private for all public use except CloudFront.

➡️ Create Cloudfront for your bucket.

➡️ Create Django Project and do the necessary steps to make one API for getting one URL from the S3 bucket.

➡️ Now if you have the URL of a file stored in an S3 bucket and we wanted to convert this direct URL into a Signed Cookie by which we can access the file. Just need to add this code.

import os
import time
import json
import base64

from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.primitives import serialization
from cryptography.hazmat.primitives.asymmetric import padding


def _replace_unsupported_chars(some_str):
"""Replace unsupported chars: '+=/' with '-_~'"""
return some_str.replace("+", "-") \
.replace("=", "_") \
.replace("/", "~")


def _in_an_hour():
"""Returns a UTC POSIX timestamp for one hour in the future"""
return int(time.time()) + (60000*60)


def rsa_signer(message, key):
"""
Based on https://boto3.readthedocs.io/en/latest/reference/services/cloudfront.html#examples
"""
private_key = serialization.load_pem_private_key(
key,
password=None,
backend=default_backend()
)
signer = private_key.signer(padding.PKCS1v15(), hashes.SHA1())
signer.update(message)
return signer.finalize()


def generate_policy_cookie(url):
"""Returns a tuple: (policy json, policy base64)"""

policy_dict = {
"Statement": [
{
"Resource": url,
"Condition": {
"DateLessThan": {
"AWS:EpochTime": _in_an_hour()
}
}
}
]
}

# Using separators=(',', ':') removes seperator whitespace
policy_json = json.dumps(policy_dict, separators=(",", ":"))

policy_64 = str(base64.b64encode(policy_json.encode("utf-8")), "utf-8")
policy_64 = _replace_unsupported_chars(policy_64)
return policy_json, policy_64


def generate_signature(policy, key):
"""Creates a signature for the policy from the key, returning a string"""
sig_bytes = rsa_signer(policy.encode("utf-8"), key)
sig_64 = _replace_unsupported_chars(str(base64.b64encode(sig_bytes), "utf-8"))
return sig_64


def generate_cookies(policy, signature, cloudfront_id):
"""Returns a dictionary for cookie values in the form 'COOKIE NAME': 'COOKIE VALUE'"""
return {
"CloudFront-Policy": policy,
"CloudFront-Signature": signature,
"CloudFront-Key-Pair-Id": cloudfront_id
}


def generate_curl_cmd(url, cookies):
"""Generates a cURL command (use for testing)"""
curl_cmd = "curl -v"
for k, v in cookies.items():
curl_cmd += " -H 'Cookie: {}={}'".format(k, v)
curl_cmd += " {}".format(url)
return curl_cmd


def generate_signed_cookies(url, cloudfront_id, key):
policy_json, policy_64 = generate_policy_cookie(url)
signature = generate_signature(policy_json, key)
return generate_cookies(policy_64, signature, cloudfront_id)


def get_signed_cookie(url_folder, url_exact):
if url_folder:
url_folder = os.getenv("CF_BUCKET_URL") + url_folder
url_exact = os.getenv("CF_BUCKET_URL") + url_exact
cookies = generate_signed_cookies(url_folder, os.getenv("CF_KEY_PAIR"), os.getenv("CF_PEM_FILE").replace("\\n", "\n").encode())
return generate_curl_cmd(url_exact, cookies)

Now, you just have to use get_signed_cookie Method for getting signed cookies data. As a signed cookie can work on any S3 folder so you have to pass two parameters here, one is the path of the folder you want to add a cookie, the second is the path of the actual file.