Uploading Directly to Azure Blob Storage


Fine Uploader Azure allows your users to upload files directly to your Azure Blob Storage container without the need to send the file through one of your servers first. This will, among other things, allow your application to be a bit more efficient and scalable.

How do uploads work?

When a user submits a file to Fine Uploader Azure, the following occurs:

  1. Fine Uploader constructs a URL that will represent the file as a blob once it is in the blob storage container.
  2. Fine Uploader sends a GET request to your signature server. Your server must then create a Shared Access Signature URI for that specific operation and blob. This URI must be returned in your server's response.
  3. Fine Uploader sends a Put Blob request to Azure and includes the file bytes in the request payload. The URL for this request is the SAS URI returned by your server in step 2.
  4. If the file uploaded successfully, Fine Uploader will send a POST request to your server with the blob details if you have specified an uploadSuccess.endpoint in your Fine Uploader Azure options configuration. If the upload failed, start over at step 2 automatically if the retry.enableAuto option is set to true.

The above steps are slightly different if Fine Uploader is chunking the file. Instead of a Put Blob request, Fine Uploader will send a Put Block request to Azure for each piece of the file. Once all pieces have been successfully uploaded, Fine Uploader will then send a Put Block List request, which asks Azure to combine all the blocks into a blob. Fine Uploader will call your signature server before each and every request, asking for a SAS URI.

How do delete file requests work?

If this feature is enabled, Fine Uploader will send a Delete Blob request directly to Azure when asked to delete a file. As usual, your signature server will be called on to provide a SAS URI before this request is sent to Azure. Note that even if this feature is disabled, Fine Uploader will issue a Delete Blob request to Azure if a user cancels an in-progress chunked upload. This is necessary to ensure that the uncommitted blocks are cleaned up by Azure.

Which features are available?

All features present in the traditional endpoint uploader are also available in Fine Uploader Azure, with one notable omission. Fine Uploader Azure does not support IE9 and older. This is due to the fact that Azure's API does not allow files to be uploaded via multipart encoded POST requests, which is critical for IE9 and older support. If you need to support IE9 and older, you will need to load/use Fine Uploader with its traditional endpoint handler if the value of qq.supportedFeatures.ajaxUploading is false.

Is this secure?

There is nothing inherently insecure about this workflow, provided you take appropriate precautions. For example:

  • Ensure your SAS URIs are short-lived. An expiration date of a few minutes or seconds is appropriate.
  • When constructing your SAS URI, only attach the required permission(s) to the URI.
  • Examine the blob URI before generating a SAS. It is potentially unwise to blindly generate signatures.
  • Keep your Azure storage account key a secret. Do not commit it to any public repository. Ensure it is never sent to the client in a response or cookie.
  • When creating CORS rules for your container, only authorize your domain(s), the expected request headers, and the expected request methods. Avoid using wildcards as values whenever possible. Also, keep in mind that CORS is NOT a security mechanism.

How do I use this?

Please see the getting started guides on the home page of this documentation site.