Azure Blob Storage Shared Access Signature - security?

Question

I am working on a Azure Blob Storage which has some image files. I want to use the image in my website, but want to pull the images securely. The code I wrote is using a SAS token generated on the container. However to retrieve the image, the URL to the image file is used with the SAS token passed as a URL parameter. Isn't that insecure in the sense that anyone who gets the SAS token for the time it is valid, can also download the image? Is there some way to post the SAS token back within the Request header so that its protected? How would I achieve this?

So at the moment I can generate a SAS programmatically. But when using it to retrieve the blob I dont want to use the format of https://myblobstore.blob.core.windows.net/test/image-0_8.jpg?skoid=<>&sktid=<>&skt=<>&ske=<>&sks=b&skv=<>&st=<>&se=<>&sr=b&sp=r&sig=<>, since the signature is readable to anyone. Is there another way?

Thanks in advance, Jake.

Answer 1

I am not sure how the web application was configured. But you can use the below concept of code that might be help you to access the blob files or images over website without displaying the SAS URL in your request Header.

Reference piece of code:- Download and display a private Azure Blob using ASP MVC

Additional References:

• https://www.edureka.co/community/7243/azure-blob-how-to-open-file-in-browser-without-downloading-it
• How can I view an image from Azure Blob Storage, rather than download it?

Couple of points to note: 1) Make sure to set the correct content type (Or Mime Type) 2) Don't use any streaming APIs (i.e. file stream) - those will by default download the files 3) If possible try to add the right header (if needed)

Below is the whole source code (it's the controller part )
//ViewModel  
public class ViewModel  
{  
public string FileUrl { get; set; }  
}
{
var readPolicy = new SharedAccessBlobPolicy()
{
Permissions = SharedAccessBlobPermissions.Read,
SharedAccessExpiryTime = DateTime.UtcNow + TimeSpan.FromMinutes(5)
};

// Retrieve storage account from connection string.
string conn = "DefaultEndpointsProtocol=https;AccountName=straccountname;AccountKey=key==;EndpointSuffix=core.windows.net";
Microsoft.WindowsAzure.Storage.CloudStorageAccount storageAccount = CloudStorageAccount.Parse(conn);

// Create the blob client.
CloudBlobClient blobClient = storageAccount.CreateCloudBlobClient();

// Retrieve reference to a previously created container.
CloudBlobContainer container = blobClient.GetContainerReference("test");

// Retrieve reference to a blob ie "20200809_125724.jpg".
CloudBlockBlob blockBlob = container.GetBlockBlobReference("20200809_125724.jpg");

//------
var newUri = new Uri(blockBlob.Uri.AbsoluteUri + blockBlob.GetSharedAccessSignature(readPolicy));
var viewModel = new ViewModel()
{
FileUrl = newUri.ToString()
};
return View("Index", viewModel);
// return View();
}

Reference: https://learn.microsoft.com/en-us/answers/questions/252303/sas-url-to-display-in-browser-rather-than-download.html

Answer 2

What you might be missing (and what I managed to completely forget for a moment, hence doing the research and finding your question) is that for HTTPS query string is encrypted, just like other parts of the request - hence this isn't more or less safe than passing the SAS token in, e.g., a header or request body.