Enhancement Request: Improve Security of Signed URLs for Document Access

Zisha

Current Behavior

• Limble generates pre-signed URLs for files (with Expires, Signature, and Key-Pair-Id).
• These URLs act as bearer tokens — anyone who has the link can open the file until it expires.
• Once generated, there is no additional validation (e.g., whether the user is still logged in).

Pros of the Current Setup

• Convenient for sharing or embedding files.
• Fast and scalable, works well with CDNs.
• Expiration timestamp offers a basic safeguard.

Cons / Risks

• If a link is leaked or forwarded, anyone can access it until it expires.
• No way to revoke a single URL early (except by rotating all signing keys).
• No validation that the viewer is authenticated at the time of access.
• No audit trail to show who actually opened the file.

Industry Best Practices

• Signed URLs are widely used for efficiency and temporary access.
• Short lifetimes (minutes to a few hours) are recommended, not days.
• For sensitive documents (e.g., HR, financial, or customer data):
  • Require users to be logged in at the time of access, or
  • Use very short-lived URLs that refresh automatically.

Suggested Enhancements

1. Shorter Default Expiration
   Reduce signed URL lifetime to limit exposure if a link is leaked.
2. Admin Option for Auth Validation
   Allow organizations to enforce a login check before accessing certain file types.
3. Access Logging
   Provide visibility into who generated and who accessed each signed link.

Business Value

• Improves Security: Prevents unauthorized file access through leaked links.
• Auditability: Ensures admins can track file usage.
• Flexibility: Balances convenience with tighter control for sensitive documents.
• User Trust: Aligns Limble’s document handling with common enterprise security standards.