I will be storing private user's files on S3. The files will be PDFs, possibly containing private financial information.
I'm considering letting users directly access the files on S3, without proxying all the traffic through my app server. How should I do that?
So far I'm considering:
- Signed URLs - what are the risks of the URL being "stolen"? I guess HTTPS is a must, what else?
- Signed Cookies - is it any better than signed URLs?
Is this the correct way of doing it, or should I use a completely different approach (maybe not S3)?
