Rails 7 adds support for ActiveStorage expiring URLs

Sep 14, 2021
authorImg Deepak Mahakale
authorImg Deepak Mahakale

Deepak is an Engineering Manager at Saeloun who leads project delivery, mentors developers, and actively contributes to the codebase.

 1 minute read

The introduction of ActiveStorage in Rails 5.2 changed the way we upload or serve the attachments in a Rails application.

ActiveStorage has made it easier to integrate and use various cloud storage services.

While working with attachments, we often come across situations where we need to expire the URLs after a specific amount of time.

Before, this specific change, we had to use the service url (referred as service_url before) to set the expiration time.

But, with the introduction of this change in ActiveStorage, it can be set with the redirection URL itself without using or exposing the actual service URL.

Before

Let’s say, we have a User model which has one registration attached to it.

class User < ApplicationRecord
  has_one_attached :registration
end

When we create a blob URL, it can be accessed unlimited times by anyone with the actual URL and, the URL never expires. This is a setback as it skips all the authentications and authorizations and can be dangerous with sensitive documents.

# Permanent signed URL
url_for(user.registration)
# http://localhost:4000/rails/active_storage/blobs/redirect/ey...a/registration.jpg

# Service URL with default expiration
user.registration.url
# https://rails-blog.s3.amazonaws.com/....&X-Amz-Expires=360

# Service URL with explicit expiration
user.registration.url(expires_in: 5.seconds)
# https://rails-blog.s3.amazonaws.com/....&X-Amz-Expires=5

# Doesn't expires
rails_blob_path(user.registration)
# http://localhost:4000/rails/active_storage/blobs/redirect/ey...a/registration.jpg

Before rails 6

# config/initializers/active_storage.rb
ActiveStorage::Service.url_expires_in = 30.minutes

After rails 6

# application.rb
module Blog
  class Application < Rails::Application
    config.active_storage.service_urls_expire_in = 10.minutes # Defaut: 5.minutes
  end
end

After

With this latest addition in Rails 7, the URLs will expire at the given expiration time.

# Permanent signed URL
url_for(user.registration)
# http://localhost:4000/rails/active_storage/blobs/redirect/ey...a/registration.jpg

# Service URL with default expiration
user.registration.url
# https://rails-blog.s3.amazonaws.com/....&X-Amz-Expires=360

# Service URL with explicit expiration
user.registration.url(expires_in: 5.seconds)
# https://rails-blog.s3.amazonaws.com/....&X-Amz-Expires=5

# Signed URL with expiration
rails_blob_path(user.registration, disposition: "attachment", expires_in: 5.seconds)
# http://localhost:4000/rails/active_storage/blobs/redirect/ey...a/registration.jpg

If you want to set a default expiration time for ActiveStorage URLs throughout your application, set

# config/application.rb
module Blog
  class Application < Rails::Application
    config.active_storage.urls_expire_in = 30.minutes
  end
end

OR in environment-specific configuration files development.rb, production.rb.

# config/environments/production.rb
Rails.application.configure do
  config.active_storage.urls_expire_in = 10.minutes # Default: nil
end

Need help on your Ruby on Rails or React project?

BOOK A CALL

If you enjoyed this post, you might also like:

Lexxy - The next generation rich text editor for Rails

October 14, 2025

Rails Decouples Trix From Action Text Into action_text-trix gem

September 12, 2025

Rails 8 does not include redis by default in the dev container.

July 11, 2025

Join Our Newsletter