Is showing x-amz-credential or any amazon stuff publicly okay in form?


In my form it showing my policy and x-amz-credential, x-amz-alorithm, x-amz-signature, my bucket, etc…


Yes, that’s fine. It’s designed not to expose sensitive data, and this data isn’t sensitive.

Your AWS Access Key Secret is the only value that is secret and must not be revealed. (There’s also a sensitive intermediate value called the signing key that’s generated from the secret, which you won’t see unless you wrote your own V4 request signing code). The signature is derived from the signing key and other request parameters; the signing key is service and region specific and is derived from the secret and used in your code, then discarded… and both of these values are generated using in a one-way process that makes it computationally infeasible to reverse-engineer.

Leave a Reply