Presigned PUT request doesn't validate the Content-MD5?


I am using the Java v2 SDK to create a presigned URL. While creating the PutObjectRequest with the builder I also set the contentMD5 with the base64 encoded MD5 hash of the file that will be eventually uploaded with this obtained URL. According to the docs here, I can only use Content-MD5 for object integrity verification.

So, once I obtain the URL, I should be able to only upload the file whose MD5 hash matches the value that was supplied during the signed URL creation. If I choose to upload a different file, it should fail? But what I see is that it allows to upload any file, so is that not how the MD5 integrity check works?

To test further, I added the Content-MD5 header again in a Postman PUT request when uploading to AWS using the obtained presigned URL and this time it verifies it. Is it the expectation that the Content-MD5 hash has to be available during the signed URL creation and also in the PUT request?

asked 5 months ago406 views
1 Answer

Hi, When you create a presigned URL for uploading an object to S3 and include the Content-MD5 header in the PutObjectRequest, it means that AWS will expect the uploaded object to have the same MD5 hash as the one provided in the Content-MD5 header. If the uploaded object's MD5 hash doesn't match the expected value, AWS will reject the request.

However, it's essential to ensure that the Content-MD5 header is included both during the presigned URL creation and in the actual PUT request made to S3. If the Content-MD5 header is missing in the PUT request, S3 won't perform the integrity check, and the upload will succeed regardless of the object's MD5 hash.

Therefore, to enforce the integrity check:

  1. Include the Content-MD5 header when creating the presigned URL.
  2. Include the Content-MD5 header in the PUT request made using the presigned URL.

By doing so, AWS will verify that the uploaded object's MD5 hash matches the expected value, providing an additional layer of integrity verification for your uploads.

profile picture
answered 5 months ago
profile picture
reviewed 4 months ago
  • Hi Hari Priya, Thank you for the response. So this means that if I were to actually provide the original Content-MD5 header in the PUT request, but try to upload a different image in the body/payload then S3 will not allow that and it would fail?

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions