# Browser-based uploads using POST (AWS signature version 2)
<a name="UsingHTTPPOST"></a>

Amazon S3 supports POST, which allows your users to upload content directly to Amazon S3. POST is designed to simplify uploads, reduce upload latency, and save you money on applications where users upload data to store in Amazon S3.

**Note**  
The request authentication discussed in this section is based on AWS Signature Version 2, a protocol for authenticating inbound API requests to AWS services.   
Amazon S3 now supports Signature Version 4, a protocol for authenticating inbound API requests to AWS services, in all AWS Regions. At this time, AWS Regions created before January 30, 2014 will continue to support the previous protocol, Signature Version 2. Any new regions after January 30, 2014 will support only Signature Version 4 and therefore all requests to those regions must be made with Signature Version 4. For more information, see [Authenticating Requests in Browser-Based Uploads Using POST (AWS Signature Version 4)](https://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-authentication-HTTPPOST.html) in the *Amazon Simple Storage Service API Reference*. 

The following figure shows an upload using Amazon S3 POST.

![\[Illustration that shows an upload using Amazon S3 POST.\]](http://docs.aws.amazon.com/AmazonS3/latest/API/images/s3_post.png)



**Uploading using POST**  

|  |  | 
| --- |--- |
| 1 | The user opens a web browser and accesses your web page. | 
| 2 | Your web page contains an HTTP form that contains all the information necessary for the user to upload content to Amazon S3. | 
| 3 | The user uploads content directly to Amazon S3. | 

**Note**  
Query string authentication is not supported for POST.

# HTML forms (AWS signature version 2)
<a name="HTTPPOSTForms"></a>

**Topics**
+ [

## HTML form encoding
](#HTTPPOSTFormEncoding)
+ [

## HTML form declaration
](#HTTPPOSTFormDeclaration)
+ [

## HTML form fields
](#HTTPPOSTFormFields)
+ [

## Policy construction
](#HTTPPOSTConstructPolicy)
+ [

## Constructing a signature
](#HTTPPOSTConstructingPolicySignature)
+ [

## Redirection
](#HTTPPOSTConstructingPolicyRedirection)

When you communicate with Amazon S3, you normally use the REST or SOAP API to perform put, get, delete, and other operations. With POST, users upload data directly to Amazon S3 through their browsers, which cannot process the SOAP API or create a REST `PUT` request.

**Note**  
 SOAP APIs for Amazon S3 are not available for new customers, and are approaching End of Life (EOL) on October 31, 2025. We recommend that you use either the REST API or the AWS SDKs. 

To allow users to upload content to Amazon S3 by using their browsers, you use HTML forms. HTML forms consist of a form declaration and form fields. The form declaration contains high-level information about the request. The form fields contain detailed information about the request, as well as the policy that is used to authenticate it and ensure that it meets the conditions that you specify.

**Note**  
The form data and boundaries (excluding the contents of the file) cannot exceed 20 KB.

This section explains how to use HTML forms.

## HTML form encoding
<a name="HTTPPOSTFormEncoding"></a>

The form and policy must be UTF-8 encoded. You can apply UTF-8 encoding to the form by specifying it in the HTML heading or as a request header.

**Note**  
 The HTML form declaration does not accept query string authentication parameters. 

The following is an example of UTF-8 encoding in the HTML heading:

```
1. <html>
2.   <head>
3.     ...
4.     <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
5.     ...
6.   </head>
7.   <body>
```

The following is an example of UTF-8 encoding in a request header:

```
1. Content-Type: text/html; charset=UTF-8
```

## HTML form declaration
<a name="HTTPPOSTFormDeclaration"></a>

The form declaration has three components: the action, the method, and the enclosure type. If any of these values is improperly set, the request fails.

The action specifies the URL that processes the request, which must be set to the URL of the bucket. For example, if the name of your bucket is `awsexamplebucket1` and the Region is US West (N. California), the URL is `https://awsexamplebucket1.s3.us-west-1.amazonaws.com/`.

**Note**  
The key name is specified in a form field.

The method must be POST.

The enclosure type (enctype) must be specified and must be set to multipart/form-data for both file uploads and text area uploads. For more information, go to [RFC 1867](http://www.ietf.org/rfc/rfc1867.txt).

**Example**  
The following example is a form declaration for the bucket "awsexamplebucket1".  

```
1. <form action="https://awsexamplebucket1.s3.us-west-1.amazonaws.com/" method="post"
2. 
3. enctype="multipart/form-data">
```

## HTML form fields
<a name="HTTPPOSTFormFields"></a>

The following table describes fields that can be used within an HTML form.

**Note**  
The variable `${filename}` is automatically replaced with the name of the file provided by the user and is recognized by all form fields. If the browser or client provides a full or partial path to the file, only the text following the last slash (/) or backslash (\$1) will be used. For example, "C:\$1Program Files\$1directory1\$1file.txt" will be interpreted as "file.txt". If no file or file name is provided, the variable is replaced with an empty string.


| Field name | Description | Required | 
| --- | --- | --- | 
| AWSAccessKeyId |  The AWS Access Key ID of the owner of the bucket who grants an anonymous user access for a request that satisfies the set of constraints in the policy. This field is required if the request includes a policy document.  |  Conditional  | 
| acl |  An Amazon S3 access control list (ACL). If an invalid access control list is specified, an error is generated. Type: String Default: private  Valid Values: `private \| public-read \| public-read-write \| aws-exec-read \| authenticated-read \| bucket-owner-read \| bucket-owner-full-control `   |  No  | 
| Cache-Control, Content-Type, Content-Disposition, Content-Encoding, Expires |  REST-specific headers. For more information, see [PUT Object](https://docs.aws.amazon.com/AmazonS3/latest/API/RESTObjectPUT.html).  |  No  | 
| key |  The name of the uploaded key. To use the filename provided by the user, use the \$1\$1filename\$1 variable. For example, if user Betty uploads the file lolcatz.jpg and you specify /user/betty/\$1\$1filename\$1, the file is stored as /user/betty/lolcatz.jpg. For more information, see [Working with object metadata ](https://docs.aws.amazon.com//AmazonS3/latest/userguide/UsingMetadata.html).  |  Yes  | 
| policy |  Security policy describing what is permitted in the request. Requests without a security policy are considered anonymous and will succeed only on publicly writable buckets.   |  No  | 
| success\$1action\$1redirect, redirect |  The URL to which the client is redirected upon successful upload. Amazon S3 appends the bucket, key, and etag values as query string parameters to the URL. If success\$1action\$1redirect is not specified, Amazon S3 returns the empty document type specified in the success\$1action\$1status field. If Amazon S3 cannot interpret the URL, it ignores the field. If the upload fails, Amazon S3 displays an error and does not redirect the user to a URL. For more information, see [Redirection](#HTTPPOSTConstructingPolicyRedirection).    The redirect field name is deprecated and support for the redirect field name will be removed in the future.    |  No  | 
| success\$1action\$1status |  The status code returned to the client upon successful upload if success\$1action\$1redirect is not specified. Valid values are 200, 201, or 204 (default). If the value is set to 200 or 204, Amazon S3 returns an empty document with a 200 or 204 status code. If the value is set to 201, Amazon S3 returns an XML document with a 201 status code. For information about the content of the XML document, see [POST Object](https://docs.aws.amazon.com/AmazonS3/latest/API/RESTObjectPOST.html). If the value is not set or if it is set to an invalid value, Amazon S3 returns an empty document with a 204 status code.   Some versions of the Adobe Flash player do not properly handle HTTP responses with an empty body. To support uploads through Adobe Flash, we recommend setting `success_action_status` to 201.   |  No  | 
| signature |  The HMAC signature constructed by using the secret access key that corresponds to the provided AWSAccessKeyId. This field is required if a policy document is included with the request.  For more information, see [Identity and Access Management for Amazon S3](https://docs.aws.amazon.com//AmazonS3/latest/userguide/security-iam.html).  |  Conditional  | 
| Other field names prefixed with x-amz-meta- |  User-specified metadata.  Amazon S3 does not validate or use this data. For more information, see [ PUT Object](https://docs.aws.amazon.com/AmazonS3/latest/API/RESTObjectPUT.html).  |  No  | 
| file |  File or text content.  The file or content must be the last field in the form. Any fields below it are ignored. You cannot upload more than one file at a time.  |  Yes  | 

## Policy construction
<a name="HTTPPOSTConstructPolicy"></a>

**Topics**
+ [

### Expiration
](#HTTPPOSTExpiration)
+ [

### Conditions
](#PolicyConditions)
+ [

### Condition matching
](#ConditionMatching)
+ [

### Character escaping
](#HTTPPOSTEscaping)

The policy is a UTF-8 and Base64-encoded JSON document that specifies conditions that the request must meet and is used to authenticate the content. Depending on how you design your policy documents, you can use them per upload, per user, for all uploads, or according to other designs that meet your needs.

**Note**  
 Although the policy document is optional, we highly recommend it over making a bucket publicly writable. 

The following is an example of a policy document:

```
 1. { "expiration": "2007-12-01T12:00:00.000Z",
 2. 
 3.   "conditions": [
 4. 
 5.     {"acl": "public-read" },
 6. 
 7.     {"bucket": "awsexamplebucket1" },
 8. 
 9.     ["starts-with", "$key", "user/eric/"],
10. 
11.   ]
12. 
13. }
```

The policy document contains the expiration and conditions.

### Expiration
<a name="HTTPPOSTExpiration"></a>

The expiration element specifies the expiration date of the policy in ISO 8601 UTC date format. For example, "2007-12-01T12:00:00.000Z" specifies that the policy is not valid after midnight UTC on 2007-12-01. Expiration is required in a policy.

### Conditions
<a name="PolicyConditions"></a>

The conditions in the policy document validate the contents of the uploaded object. Each form field that you specify in the form (except AWSAccessKeyId, signature, file, policy, and field names that have an x-ignore- prefix) must be included in the list of conditions. 

**Note**  
If you have multiple fields with the same name, the values must be separated by commas. For example, if you have two fields named "x-amz-meta-tag" and the first one has a value of "Ninja" and second has a value of "Stallman", you would set the policy document to `Ninja,Stallman`.  
 All variables within the form are expanded before the policy is validated. Therefore, all condition matching should be performed against the expanded fields. For example, if you set the key field to `user/betty/${filename}`, your policy might be `[ "starts-with", "$key", "user/betty/" ]`. Do not enter `[ "starts-with", "$key", "user/betty/${filename}" ]`. For more information, see [Condition matching](#ConditionMatching). 

The following table describes policy document conditions.


| Element name | Description | 
| --- | --- | 
| acl |  Specifies conditions that the ACL must meet.  Supports exact matching and `starts-with`.   | 
| content-length-range |  Specifies the minimum and maximum allowable size for the uploaded content.  Supports range matching.  | 
| Cache-Control, Content-Type, Content-Disposition, Content-Encoding, Expires |  REST-specific headers.  Supports exact matching and `starts-with`.  | 
| key |  The name of the uploaded key. Supports exact matching and `starts-with`.   | 
| success\$1action\$1redirect, redirect  |  The URL to which the client is redirected upon successful upload. Supports exact matching and `starts-with`.   | 
| success\$1action\$1status |  The status code returned to the client upon successful upload if success\$1action\$1redirect is not specified. Supports exact matching.   | 
| Other field names prefixed with x-amz-meta- |  User-specified metadata.  Supports exact matching and `starts-with`.   | 

**Note**  
 If your toolkit adds additional fields (e.g., Flash adds filename), you must add them to the policy document. If you can control this functionality, prefix `x-ignore-` to the field so Amazon S3 ignores the feature and it won't affect future versions of this feature. 

### Condition matching
<a name="ConditionMatching"></a>

The following table describes condition matching types. Although you must specify one condition for each form field that you specify in the form, you can create more complex matching criteria by specifying multiple conditions for a form field.


|  Condition  |  Description  | 
| --- | --- | 
|  Exact Matches  |  Exact matches verify that fields match specific values. This example indicates that the ACL must be set to public-read: <pre>{"acl": "public-read" }</pre> This example is an alternate way to indicate that the ACL must be set to public-read: <pre>[ "eq", "$acl", "public-read" ]</pre>  | 
|  Starts With  |  If the value must start with a certain value, use starts-with. This example indicates that the key must start with user/betty: <pre>["starts-with", "$key", "user/betty/"]</pre>  | 
|  Matching Any Content  |  To configure the policy to allow any content within a field, use starts-with with an empty value. This example allows any success\$1action\$1redirect: <pre>["starts-with", "$success_action_redirect", ""]</pre>  | 
|  Specifying Ranges  |  For fields that accept ranges, separate the upper and lower ranges with a comma. This example allows a file size from 1 to 10 megabytes: <pre>["content-length-range", 1048579, 10485760]</pre>  | 

### Character escaping
<a name="HTTPPOSTEscaping"></a>

The following table describes characters that must be escaped within a policy document.


|  Escape sequence  |  Description  | 
| --- | --- | 
|  \$1\$1  |  Backslash  | 
|  \$1\$1  |  Dollar sign  | 
|  \$1b  |  Backspace  | 
|  \$1f  |  Form feed  | 
|  \$1n  |  New line  | 
|  \$1r  |  Carriage return  | 
|  \$1t  |  Horizontal tab  | 
|  \$1v  |  Vertical tab  | 
|  \$1u*xxxx*  |  All Unicode characters  | 

## Constructing a signature
<a name="HTTPPOSTConstructingPolicySignature"></a>


| Step | Description | 
| --- | --- | 
| 1 |  Encode the policy by using UTF-8.  | 
| 2 |  Encode those UTF-8 bytes by using Base64.  | 
| 3 |  Sign the policy with your secret access key by using HMAC SHA-1.  | 
| 4 |  Encode the SHA-1 signature by using Base64.  | 

For general information about authentication, see [Identity and Access Management for Amazon S3](https://docs.aws.amazon.com//AmazonS3/latest/userguide/security-iam.html).

## Redirection
<a name="HTTPPOSTConstructingPolicyRedirection"></a>

This section describes how to handle redirects.

### General redirection
<a name="HTTPPOSTGeneralRedirection"></a>

On completion of the POST request, the user is redirected to the location that you specified in the `success_action_redirect` field. If Amazon S3 cannot interpret the URL, it ignores the `success_action_redirect` field.

If `success_action_redirect` is not specified, Amazon S3 returns the empty document type specified in the `success_action_status` field.

If the POST request fails, Amazon S3 displays an error and does not provide a redirect.

### Pre-upload redirection
<a name="HTTPPOSTPreUpload"></a>

If your bucket was created using <CreateBucketConfiguration>, your end users might require a redirect. If this occurs, some browsers might handle the redirect incorrectly. This is relatively rare but is most likely to occur right after a bucket is created.

# Upload examples (AWS signature version 2)****
<a name="HTTPPOSTExamples"></a>

**Topics**
+ [

## File upload
](#HTTPPOSTExamplesFileUpload)
+ [

## Text area upload
](#HTTPPOSTExamplesTextArea)

**Note**  
The request authentication discussed in this section is based on AWS Signature Version 2, a protocol for authenticating inbound API requests to AWS services.   
Amazon S3 now supports Signature Version 4, a protocol for authenticating inbound API requests to AWS services, in all AWS Regions. At this time, AWS Regions created before January 30, 2014 will continue to support the previous protocol, Signature Version 2. Any new regions after January 30, 2014 will support only Signature Version 4 and therefore all requests to those regions must be made with Signature Version 4. For more information, see [Examples: Browser-Based Upload using HTTP POST (Using AWS Signature Version 4)](https://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-post-example.html) in the *Amazon Simple Storage Service API Reference*. 

## File upload
<a name="HTTPPOSTExamplesFileUpload"></a>

This example shows the complete process for constructing a policy and form that can be used to upload a file attachment.

### Policy and form construction
<a name="HTTPPOSTExamplesFileUploadPolicy"></a>

The following policy supports uploads to Amazon S3 for the awsexamplebucket1 bucket.

```
 1. { "expiration": "2007-12-01T12:00:00.000Z",
 2.   "conditions": [
 3.     {"bucket": "awsexamplebucket1"},
 4.     ["starts-with", "$key", "user/eric/"],
 5.     {"acl": "public-read"},
 6.     {"success_action_redirect": "https://awsexamplebucket1.s3.us-west-1.amazonaws.com/successful_upload.html"},
 7.     ["starts-with", "$Content-Type", "image/"],
 8.     {"x-amz-meta-uuid": "14365123651274"},
 9.     ["starts-with", "$x-amz-meta-tag", ""]
10.   ]
11. }
```

This policy requires the following:
+ The upload must occur before 12:00 UTC on December 1, 2007.
+ The content must be uploaded to the awsexamplebucket1 bucket.
+ The key must start with "user/eric/".
+ The ACL is set to public-read.
+ The success\$1action\$1redirect is set to https://awsexamplebucket1.s3.us-west-1.amazonaws.com/successful\$1upload.html.
+ The object is an image file.
+ The x-amz-meta-uuid tag must be set to 14365123651274. 
+ The x-amz-meta-tag can contain any value.

The following is a Base64-encoded version of this policy.

```
1. eyAiZXhwaXJhdGlvbiI6ICIyMDA3LTEyLTAxVDEyOjAwOjAwLjAwMFoiLAogICJjb25kaXRpb25zIjogWwogICAgeyJidWNrZXQiOiAiam9obnNtaXRoIn0sCiAgICBbInN0YXJ0cy13aXRoIiwgIiRrZXkiLCAidXNlci9lcmljLyJdLAogICAgeyJhY2wiOiAicHVibGljLXJlYWQifSwKICAgIHsic3VjY2Vzc19hY3Rpb25fcmVkaXJlY3QiOiAiaHR0cDovL2pvaG5zbWl0aC5zMy5hbWF6b25hd3MuY29tL3N1Y2Nlc3NmdWxfdXBsb2FkLmh0bWwifSwKICAgIFsic3RhcnRzLXdpdGgiLCAiJENvbnRlbnQtVHlwZSIsICJpbWFnZS8iXSwKICAgIHsieC1hbXotbWV0YS11dWlkIjogIjE0MzY1MTIzNjUxMjc0In0sCiAgICBbInN0YXJ0cy13aXRoIiwgIiR4LWFtei1tZXRhLXRhZyIsICIiXQogIF0KfQo=
```

Using your credentials create a signature, for example `0RavWzkygo6QX9caELEqKi9kDbU=` is the signature for the preceding policy document.

The following form supports a POST request to the amzn-s3-demo-bucket bucket that uses this policy.

```
 1. <html>
 2.   <head>
 3.     ...
 4.     <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
 5.     ...
 6.   </head>
 7.   <body>
 8.   ...
 9.   <form action="https://amzn-s3-demo-bucket.s3.us-west-1.amazonaws.com/" method="post" enctype="multipart/form-data">
10.     Key to upload: <input type="input" name="key" value="user/eric/" /><br />
11.     <input type="hidden" name="acl" value="public-read" />
12.     <input type="hidden" name="success_action_redirect" value="https://awsexamplebucket1.s3.us-west-1.amazonaws.com/successful_upload.html" />
13.     Content-Type: <input type="input" name="Content-Type" value="image/jpeg" /><br />
14.     <input type="hidden" name="x-amz-meta-uuid" value="14365123651274" />
15.     Tags for File: <input type="input" name="x-amz-meta-tag" value="" /><br />
16.     <input type="hidden" name="AWSAccessKeyId" value="AKIAIOSFODNN7EXAMPLE" />
17.     <input type="hidden" name="Policy" value="POLICY" />
18.     <input type="hidden" name="Signature" value="SIGNATURE" />
19.     File: <input type="file" name="file" /> <br />
20.     <!-- The elements after this will be ignored -->
21.     <input type="submit" name="submit" value="Upload to Amazon S3" />
22.   </form>
23.   ...
24. </html>
```

### Sample request
<a name="HTTPPOSTExamplesFileUploadRequest"></a>

This request assumes that the image uploaded is 117,108 bytes; the image data is not included.

```
 1. POST / HTTP/1.1
 2. Host: awsexamplebucket1.s3.us-west-1.amazonaws.com
 3. User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.10) Gecko/20071115 Firefox/2.0.0.10
 4. Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
 5. Accept-Language: en-us,en;q=0.5
 6. Accept-Encoding: gzip,deflate
 7. Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
 8. Keep-Alive: 300
 9. Connection: keep-alive
10. Content-Type: multipart/form-data; boundary=9431149156168
11. Content-Length: 118698 
12. 
13. --9431149156168
14. Content-Disposition: form-data; name="key"
15. 
16. user/eric/MyPicture.jpg
17. --9431149156168
18. Content-Disposition: form-data; name="acl"
19. 
20. public-read
21. --9431149156168
22. Content-Disposition: form-data; name="success_action_redirect"
23. 
24. https://awsexamplebucket1.s3.us-west-1.amazonaws.com/successful_upload.html
25. --9431149156168
26. Content-Disposition: form-data; name="Content-Type"
27. 
28. image/jpeg
29. --9431149156168
30. Content-Disposition: form-data; name="x-amz-meta-uuid"
31. 
32. 14365123651274
33. --9431149156168
34. Content-Disposition: form-data; name="x-amz-meta-tag"
35. 
36. Some,Tag,For,Picture
37. --9431149156168
38. Content-Disposition: form-data; name="AWSAccessKeyId"
39. 
40. AKIAIOSFODNN7EXAMPLE
41. --9431149156168
42. Content-Disposition: form-data; name="Policy"
43. 
44. eyAiZXhwaXJhdGlvbiI6ICIyMDA3LTEyLTAxVDEyOjAwOjAwLjAwMFoiLAogICJjb25kaXRpb25zIjogWwogICAgeyJidWNrZXQiOiAiam9obnNtaXRoIn0sCiAgICBbInN0YXJ0cy13aXRoIiwgIiRrZXkiLCAidXNlci9lcmljLyJdLAogICAgeyJhY2wiOiAicHVibGljLXJlYWQifSwKICAgIHsic3VjY2Vzc19hY3Rpb25fcmVkaXJlY3QiOiAiaHR0cDovL2pvaG5zbWl0aC5zMy5hbWF6b25hd3MuY29tL3N1Y2Nlc3NmdWxfdXBsb2FkLmh0bWwifSwKICAgIFsic3RhcnRzLXdpdGgiLCAiJENvbnRlbnQtVHlwZSIsICJpbWFnZS8iXSwKICAgIHsieC1hbXotbWV0YS11dWlkIjogIjE0MzY1MTIzNjUxMjc0In0sCiAgICBbInN0YXJ0cy13aXRoIiwgIiR4LWFtei1tZXRhLXRhZyIsICIiXQogIF0KfQo=
45. --9431149156168
46. Content-Disposition: form-data; name="Signature"
47. 
48. 0RavWzkygo6QX9caELEqKi9kDbU=
49. --9431149156168
50. Content-Disposition: form-data; name="file"; filename="MyFilename.jpg"
51. Content-Type: image/jpeg
52. 
53. ...file content...
54. --9431149156168
55. Content-Disposition: form-data; name="submit"
56. 
57. Upload to Amazon S3
58. --9431149156168--
```

### Sample response
<a name="HTTPPOSTExamplesFileUploadResponse"></a>

```
1. HTTP/1.1 303 Redirect
2. x-amz-request-id: 1AEE782442F35865
3. x-amz-id-2: cxzFLJRatFHy+NGtaDFRR8YvI9BHmgLxjvJzNiGGICARZ/mVXHj7T+qQKhdpzHFh
4. Content-Type: application/xml
5. Date: Wed, 14 Nov 2007 21:21:33 GMT
6. Connection: close
7. Location: https://awsexamplebucket1.s3.us-west-1.amazonaws.com/successful_upload.html?bucket=awsexamplebucket1&key=user/eric/MyPicture.jpg&etag=&quot;39d459dfbc0faabbb5e179358dfb94c3&quot;
8. Server: AmazonS3
```

## Text area upload
<a name="HTTPPOSTExamplesTextArea"></a>

**Topics**
+ [

### Policy and form construction
](#HTTPPOSTExamplesTextAreaPolicy)
+ [

### Sample request
](#HTTPPOSTExamplesTextAreaRequest)
+ [

### Sample response
](#HTTPPOSTExamplesTextAreaResponse)

The following example shows the complete process for constructing a policy and form to upload a text area. Uploading a text area is useful for submitting user-created content, such as blog postings.

### Policy and form construction
<a name="HTTPPOSTExamplesTextAreaPolicy"></a>

The following policy supports text area uploads to Amazon S3 for the awsexamplebucket1 bucket.

```
 1. { "expiration": "2007-12-01T12:00:00.000Z",
 2.   "conditions": [
 3.     {"bucket": "awsexamplebucket1"},
 4.     ["starts-with", "$key", "user/eric/"],
 5.     {"acl": "public-read"},
 6.     {"success_action_redirect": "https://awsexamplebucket1.s3.us-west-1.amazonaws.com/new_post.html"},
 7.     ["eq", "$Content-Type", "text/html"],
 8.     {"x-amz-meta-uuid": "14365123651274"},
 9.     ["starts-with", "$x-amz-meta-tag", ""]
10.   ]
11. }
```

This policy requires the following:
+ The upload must occur before 12:00 GMT on 2007-12-01.
+ The content must be uploaded to the awsexamplebucket1 bucket.
+ The key must start with "user/eric/".
+ The ACL is set to public-read.
+ The success\$1action\$1redirect is set to https://awsexamplebucket1.s3.us-west-1.amazonaws.com/new\$1post.html.
+ The object is HTML text.
+ The x-amz-meta-uuid tag must be set to 14365123651274. 
+ The x-amz-meta-tag can contain any value.

Following is a Base64-encoded version of this policy.

```
1. eyAiZXhwaXJhdGlvbiI6ICIyMDA3LTEyLTAxVDEyOjAwOjAwLjAwMFoiLAogICJjb25kaXR
2. pb25zIjogWwogICAgeyJidWNrZXQiOiAiam9obnNtaXRoIn0sCiAgICBbInN0YXJ0cy13aXRoIiwgIiRrZXkiLCAidXNlci9lcmljLyJd
3. LAogICAgeyJhY2wiOiAicHVibGljLXJlYWQifSwKICAgIHsic3VjY2Vzc19hY3Rpb25fcmVkaXJlY3QiOiAiaHR0cDovL2pvaG5zbWl0a
4. C5zMy5hbWF6b25hd3MuY29tL25ld19wb3N0Lmh0bWwifSwKICAgIFsiZXEiLCAiJENvbnRlbnQtVHlwZSIsICJ0ZXh0L2h0bWwiXSwKI
5. CAgIHsieC1hbXotbWV0YS11dWlkIjogIjE0MzY1MTIzNjUxMjc0In0sCiAgICBbInN0YXJ0cy13aXRoIiwgIiR4LWFtei1tZXRhLXRhZy
6. IsICIiXQogIF0KfQo=
```

Using your credentials, create a signature. For example, `qA7FWXKq6VvU68lI9KdveT1cWgF=` is the signature for the preceding policy document.

The following form supports a POST request to the amzn-s3-demo-bucket bucket that uses this policy.

```
 1. <html>
 2.   <head>
 3.     ...
 4.     <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
 5.     ...
 6.   </head>
 7.   <body>
 8.   ...
 9.   <form action="https://amzn-s3-demo-bucket.s3.us-west-1.amazonaws.com/" method="post" enctype="multipart/form-data">
10.     Key to upload: <input type="input" name="key" value="user/eric/" /><br />
11.     <input type="hidden" name="acl" value="public-read" />
12.     <input type="hidden" name="success_action_redirect" value="https://awsexamplebucket1.s3.us-west-1.amazonaws.com/new_post.html" />
13.     <input type="hidden" name="Content-Type" value="text/html" />
14.     <input type="hidden" name="x-amz-meta-uuid" value="14365123651274" />
15.     Tags for File: <input type="input" name="x-amz-meta-tag" value="" /><br />
16.     <input type="hidden" name="AWSAccessKeyId" value="AKIAIOSFODNN7EXAMPLE" />
17.     <input type="hidden" name="Policy" value="POLICY" />
18.     <input type="hidden" name="Signature" value="SIGNATURE" />
19.     Entry: <textarea name="file" cols="60" rows="10">
20. 
21. Your blog post goes here.
22. 
23.     </textarea><br />
24.     <!-- The elements after this will be ignored -->
25.     <input type="submit" name="submit" value="Upload to Amazon S3" />
26.   </form>
27.   ...
28. </html>
```

### Sample request
<a name="HTTPPOSTExamplesTextAreaRequest"></a>

This request assumes that the image uploaded is 117,108 bytes; the image data is not included.

```
 1. POST / HTTP/1.1
 2. Host: awsexamplebucket1.s3.us-west-1.amazonaws.com
 3. User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.10) Gecko/20071115 Firefox/2.0.0.10
 4. Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
 5. Accept-Language: en-us,en;q=0.5
 6. Accept-Encoding: gzip,deflate
 7. Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
 8. Keep-Alive: 300
 9. Connection: keep-alive
10. Content-Type: multipart/form-data; boundary=178521717625888
11. Content-Length: 118635
12. 
13. -178521717625888
14. Content-Disposition: form-data; name="key"
15. 
16. ser/eric/NewEntry.html
17. --178521717625888
18. Content-Disposition: form-data; name="acl"
19. 
20. public-read
21. --178521717625888
22. Content-Disposition: form-data; name="success_action_redirect"
23. 
24. https://awsexamplebucket1.s3.us-west-1.amazonaws.com/new_post.html
25. --178521717625888
26. Content-Disposition: form-data; name="Content-Type"
27. 
28. text/html
29. --178521717625888
30. Content-Disposition: form-data; name="x-amz-meta-uuid"
31. 
32. 14365123651274
33. --178521717625888
34. Content-Disposition: form-data; name="x-amz-meta-tag"
35. 
36. Interesting Post
37. --178521717625888
38. Content-Disposition: form-data; name="AWSAccessKeyId"
39. 
40. AKIAIOSFODNN7EXAMPLE
41. --178521717625888
42. Content-Disposition: form-data; name="Policy"
43. eyAiZXhwaXJhdGlvbiI6ICIyMDA3LTEyLTAxVDEyOjAwOjAwLjAwMFoiLAogICJjb25kaXRpb25zIjogWwogICAgeyJidWNrZXQiOiAiam9obnNtaXRoIn0sCiAgICBbInN0YXJ0cy13aXRoIiwgIiRrZXkiLCAidXNlci9lcmljLyJdLAogICAgeyJhY2wiOiAicHVibGljLXJlYWQifSwKICAgIHsic3VjY2Vzc19hY3Rpb25fcmVkaXJlY3QiOiAiaHR0cDovL2pvaG5zbWl0aC5zMy5hbWF6b25hd3MuY29tL25ld19wb3N0Lmh0bWwifSwKICAgIFsiZXEiLCAiJENvbnRlbnQtVHlwZSIsICJ0ZXh0L2h0bWwiXSwKICAgIHsieC1hbXotbWV0YS11dWlkIjogIjE0MzY1MTIzNjUxMjc0In0sCiAgICBbInN0YXJ0cy13aXRoIiwgIiR4LWFtei1tZXRhLXRhZyIsICIiXQogIF0KfQo=
44. 
45. --178521717625888
46. Content-Disposition: form-data; name="Signature"
47. 
48. qA7FWXKq6VvU68lI9KdveT1cWgF=
49. --178521717625888
50. Content-Disposition: form-data; name="file"
51. 
52. ...content goes here...
53. --178521717625888
54. Content-Disposition: form-data; name="submit"
55. 
56. Upload to Amazon S3
57. --178521717625888--
```

### Sample response
<a name="HTTPPOSTExamplesTextAreaResponse"></a>

```
1. HTTP/1.1 303 Redirect
2. x-amz-request-id: 1AEE782442F35865
3. x-amz-id-2: cxzFLJRatFHy+NGtaDFRR8YvI9BHmgLxjvJzNiGGICARZ/mVXHj7T+qQKhdpzHFh
4. Content-Type: application/xml
5. Date: Wed, 14 Nov 2007 21:21:33 GMT
6. Connection: close
7. Location: https://awsexamplebucket1.s3.us-west-1.amazonaws.com/new_post.html?bucket=awsexamplebucket1&key=user/eric/NewEntry.html&etag=40c3271af26b7f1672e41b8a274d28d4
8. Server: AmazonS3
```

# POST with adobe flash (AWS signature version 2)
<a name="HTTPPOSTFlash"></a>

This section describes how to use `POST` with Adobe Flash.

## Adobe flash player security
<a name="AdobeFlashPlayerSecurity"></a>

By default, the Adobe Flash Player security model prohibits Adobe Flash Players from making network connections to servers outside the domain that serves the SWF file.

To override the default, you must upload a publicly readable crossdomain.xml file to the bucket that will accept POST uploads. The following is a sample crossdomain.xml file.

```
1. <?xml version="1.0"?>
2. <!DOCTYPE cross-domain-policy SYSTEM
3. "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
4. <cross-domain-policy>
5. <allow-access-from domain="*" secure="false" />
6. </cross-domain-policy>
```

**Note**  
For more information about the Adobe Flash security model, go to the Adobe website.  
Adding the crossdomain.xml file to your bucket allows any Adobe Flash Player to connect to the crossdomain.xml file within your bucket; however, it does not grant access to the actual Amazon S3 bucket.

## Adobe flash considerations
<a name="HTTPPOSTAdobeFlashConsiderations"></a>

 The FileReference API in Adobe Flash adds the `Filename` form field to the POST request. When you build Adobe Flash applications that upload to Amazon S3 by using the FileReference API action, include the following condition in your policy: 

```
1. ['starts-with', '$Filename', '']
```

Some versions of the Adobe Flash Player do not properly handle HTTP responses that have an empty body. To configure POST to return a response that does not have an empty body, set `success_action_status` to 201. Amazon S3 will then return an XML document with a 201 status code. For information about the content of the XML document, see [POST Object](https://docs.aws.amazon.com/AmazonS3/latest/API/RESTObjectPOST.html). For information about form fields, see [HTML form fields](HTTPPOSTForms.md#HTTPPOSTFormFields).