Following a discussion on Slack, we think the default timeout of 1 hour for nuxeo.s3storage.directdownload.expire is too long and sets a bad precedent. This value should be as short as possible to ensure security (i.e., if a user mistakenly finds out the signed URL and shares it, it won't be usable). A few seconds should be enough. It is understood that there are potential issues related to the time on the Nuxeo server vs the time coming from AWS. Nonetheless It would be better to err on the side of security.