Protected assets could be proxied via the server rather than using S3 pre-signed URLs

[madmatt]

v0.2.0 will support using S3 pre-signed URLs, but these by default can only be made available on a time-based expiry, and we don't have any easy way of working out whether a previously-generated URL is still valid or not so the module generates a new one every time.

At the expense of memory and processing time, when the file is requested we could instead stream the data down. This would be more secure (only allowing files via a controller directly) and less dependent on AWS.

This would probably be opt-in via configuration, as some files might not be worth streaming down (e.g. large files).

[madmatt]

Never mind, I tried this but this still means that you need to allow anonymous access to protected files (even if only for a short period of time).

Instead, 0.2.0 has switched to reading the contents of the file from S3 and outputting it via the web server (a more secure, albeit less performant workaround).