Uploaded image for project: 'Nuxeo Platform'
  1. Nuxeo Platform
  2. NXP-28058

Decrease default value for nuxeo.s3storage.directdownload.expire in order to set a better example from a security perspective

    XMLWordPrintable

    Details

    • Type: Improvement
    • Status: Open
    • Priority: Minor
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: S3

      Description

      Following a discussion on Slack, we think the default timeout of 1 hour for nuxeo.s3storage.directdownload.expire is too long and sets a bad precedent. This value should be as short as possible to ensure security (i.e., if a user mistakenly finds out the signed URL and shares it, it won't be usable). A few seconds should be enough. It is understood that there are potential issues related to the time on the Nuxeo server vs the time coming from AWS. Nonetheless It would be better to err on the side of security.

        Attachments

          Activity

            People

            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:

                PagerDuty

                Error rendering 'com.pagerduty.jira-server-plugin:PagerDuty'. Please contact your Jira administrators.