CloudFront authentication via signed URLs or cookies

  • cfsign

Downloads in past


601.0.44 years ago4 years agoMinified + gzip package size for cfsign in KB


A Typescript/Javascript lib for working with CloudFront signatures in NodeJs.

Getting started

Install cfsign from npm.
Instantiate a signer with your key configuration:
import { Signer } from "cfsign";
const signer = new Signer({
    privateKeyPem: "-----BEGIN RSA PRIVATE KEY-----\nXXXX..."

As per AWS documentation, cfsign supports short-ish URLs, signed using a "canned" policy. In this case a URL and an expiration date will do:
const expiration = new Date(new Date().getTime() + 10*60*1000);
const signedUrl = signer.signUrl(``, expiration);

To sign a more complex policy, just build one and then get the resulting cookies or query parameters.
const policy = {
    Statement: [{
        Condition: {
            DateGreaterThan: { "AWS:EpochTime": 0 },
            DateLessThan: { "AWS:EpochTime": 1 },
            IpAddress: { "AWS:SourceIp": "" }
        Resource: "*"
const signature = sut.sign(policy);

const cookies = signature.toCookies();
const signedUrl = signature.addToUrl("");

In typescript the Policy type will help you to write a correct policy.

Extra utils

If you prefer to set the key via a single line string, rather than a PEM, there's pemFormat():
import { pemFormat } from "cfsign/lib/keyUtils";
const signer = new Signer({
    privateKeyPem: pemFormat("XXXX")

Refer to typedocs or tests for further details and examples.