I was looking into cloud storage costs, especially with Cloudflare R2's pricing based on operations, and a question came to mind. If I have a profile image management page where I provide users with presigned URLs to upload images, what stops someone from just scripting a simple upload of a tiny image 10,000 times? Presigned URLs can be reused until they expire, which could lead to huge operation costs even if the storage itself doesn't increase. Protecting the endpoint that generates these URLs seems pointless if someone can bypass security measures and automate the process. I'm curious how companies manage direct browser-to-S3 uploads without worrying about this issue.
1 Answer
Presigned URLs can actually be reused until they expire, which is a significant point to consider. The right strategy is to utilize S3 presigned POST URLs, which allow you to set policies on things like minimum and maximum file sizes right in the URL. Pair that with a short expiration time to combat those spam uploads.
But even if you set a minimum size, a script could still just abort and restart the upload, right? If they create multiple parallel uploads, it might end up costing a lot for those ops!