In Depth: Signed URLs

[InDepth#9] One of the many awesome and completely underrated Laravel security features.

In Depth: Signed URLs

In a nutshell, Signed URLs are a way to securely verify that the requested URL has not been modified. They don’t directly offer authentication or authorisation, anyone who gains access to a signed URL can use it, but they do prevent modification to the URL. This means they’ll prevent someone changing an ID or Slug, trying to guess other resources and access other pages. It’s this power that allows them to be used in a wide variety of cases where you’d normally need to consider some method of obfuscation or randomness.

That said, from a technical point of view, all it does is generate a 64-character SHA256 hash (we’ll look at this in more detail below) and add that to the URL. So you could easily implement that yourself using cache values or database lookup columns, but the benefit of a signed route is you don’t need to do any of that. It just works out-of-the-box.

To get a feel for how they work, let’s look at three different use cases:

  1. Email Unsubscribe Links
  2. Blog Post Preview Links
  3. Multi-page Content Magic Links