Difference between HTTP Authorization header and Query string parameters


While I was reading about interaction with Amazon S3, I came to know that request authentication with Amazon AWS is done in 2 ways

  1. HTTP Authorization:
    Using the HTTP Authorization header is the most common method of providing authentication information
  2. Query string parameters:
    Using query parameters to authenticate requests is useful when you want to express a request entirely in a URL. This method is also referred as presigning a URL.

The question is in which situation should I prefer one method over the other. Do these two authentication methods have their own advantages and disadvantages? As a developer, by using query string parameters method I can presign the URL which enables the end users to temporarily access the Amazon S3 resources by entering the presigned URL in the web browser. Can I use HTTP Authorization method to achieve the same thing? If so which method is better to use and what are their respective limitations?


Can I use HTTP Authorization method to achieve the same thing?

Sometimes. The key difference is that, as a developer, you don’t always have enough control over the user agent to inject a header. The most obvious example of this is a simple GET request launched by a web browser in response to the user clicking a link. In that situation, you don’t have the a ability to inject an Authorization: header for the browser to send … so pre-signing the URL is all you can do.

Importantly, there’s no information in a signed URL that is considered sensitive, so there’s no particularly strong motivation to use the header instead of a signed URL. Your AWS Access Key ID is not secret, and your AWS Secret can’t be derived from the other elements and the signature in a computationally-feasible time frame, particularly if you use Signature Version 4, which you should. Signature Version 2 is not officially deprecated in older regions, but newer S3 never supported it and likely never will.

When you do control the user agent, such as in back-end server code, adding the header may be preferable, because you don’t need to do any manipulation of the URL string you already have in-hand.

Leave a Reply