[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 409
  • Last Modified:

How to Manage security in Microsoft Azure Blob/PHP ? (URL Expiry)

Hi Experts,

How do we manage URL expiry in Azure blob storage solution ? Or is there any other solution to secure Azure blob content ?  Please provide some guide lines, HOWTOs etc,

Thanks for your time !
0
Shakthi777
Asked:
Shakthi777
1 Solution
 
btanExec ConsultantCommented:
Default TTL of 7 days and if you explicitly set the x-ms-blob-cache-control property as stated in link below (with code sample), you can have control on the cache period (in sec) e.g. value of the Cache-Control header for the blob.

http://msdn.microsoft.com/en-us/library/azure/gg680306.aspx

however, caching typically applies to static content (image, css, http pages, and not dynamic content (interactive html content, live streaming etc). assuming if the cache content is being poisoned or tamper, a copy will be served to the client and hence it is best not to have a very long caching periods if they are not easily abused. It also cannot be too short such that it negate the caching effect. It has to align to your business context and need. Maybe a optimal context can be 1hr as a start and test out on performance effects

Regardless, strict access control to those blob should be looked into first to reduce the window of exposure. There is shared access signature (SAS) for tconsideration. Do also check out also the "Best Practices for Using Shared Access Signatures"
Validate data written using SAS. When a client application writes data to your storage account, keep in mind that there can be problems with that data. If your application requires that that data be validated or authorized before it is ready to use, you should perform this validation after the data is written and before it is used by your application. This practice also protects against corrupt or malicious data being written to your account, either by a user who properly acquired the SAS, or by a user exploiting a leaked SAS.

Don't always use SAS. Sometimes the risks associated with a particular operation against your storage account outweigh the benefits of SAS. For such operations, create a middle-tier service that writes to your storage account after performing business rule validation, authentication, and auditing. Also, sometimes it's simpler to manage access in other ways. For example, if you want to make all blobs in a container publically readable, you can make the container Public, rather than providing a SAS to every client for access.
http://azure.microsoft.com/en-us/documentation/articles/storage-dotnet-shared-access-signature-part-1/
(SAS' use case example) http://www.dotnetcurry.com/showarticle.aspx?ID=901
0
 
Shakthi777Author Commented:
Very good information, thanks again !
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now