Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.
Laravel temporary signed URL always returning 403 (Invalid Signature) response.
whenever I typed wrong URL and use expired URL.
I'm verifying URL like.
if (! $request->hasValidSignature()) {
abort(401);
}
Can I return 403 HTTP code when signed URL is expired and return 400 HTTP code when signed URL is invalid?
what does it mean wrong/invalid URL? it has to match a route so your signature validation is executed. it would otherwise abort as 404 not found. give us an example of valid and unvalid/wrong URL that you are trying to validate.
probably a tweak to route definition is needed so you do not match wrong URLs
what does it mean wrong/invalid URL
@s4muel if I change signature query string in a url, it will return 403 if I try to access expired URl it will also give 403.
@s4muel my use case is that I'm sending a mail with temporary signed URL that is valid for next 24 hours.
So if user click on a link after 24 hrs then i want so message showing Your link is expired something and if user alter signed URL, then I want to show message like Your link is invalid please try again or generate new
How can I do this? Please help me
Or should I create my own functionality to validate link and stored into DB for checking it's expire or not. What should I do?
@amitsolanki24_ i still dont get it, here is an example of signed url:
http://example.com/dashboard?user=1&signature=1235c56df4c8ad3228593860f5e26466847249752b30f18540634707f23
if the user changes the signature parameter, it leads to 403, because the signature is altered, thus invalid. the url exists (http://example.com/dashboard), the signature is never stored, it is just an encrypted string with parameters. that is why you cannot check whether it exists or not.
i mean, you could if you wanted. to store all of generated signed urls and then compare them in a middleware or something, but i personally dont see a point of that. and you probably also disclose information about the signature existence/absence, which might not be a big deal, but the less to disclose, the better.
@Twenalexyy drivel verify the signature in your controller rather than in the routes file. You then have control over how you want to handle invalid signatures
@s4muel Should I stored url in DB to check where it's expired or not?
Or should I do something else to achive same logic?
@Snapey Sorry, I didn't get it. Please could you elaborate more.
well, at the start you said you validate the url with
if (! $request->hasValidSignature()) {
abort(401);
}
But if you are getting a 403, you are not reaching the above code, so perhaps you have ALSO added it as a check in the routes file. If so, remove the check in your routes an place whatever you need to do in this code instead of the 401
@Snapey i haven't added signed middleware for my route.
@amitsolanki24_ so where do you suppose 403 comes from?
@Snapey from below code.
public function checkURL(Request $request)
if (! $request->hasValidSignature()) {
abort(401);
}
}
@amitsolanki24_ what? the code that says abort(401). ?
Please or to participate in this conversation.