For connect to Azure Storage Endpoint, there has http and https two options.
1st. https gives overhead, might be 5%-10%, but I don’t pay the cost by same datacenter.
2nd. http is faster, but the Authorization: SharedKey is exposed. However, since its SHA-256 with a timestamp, should be very secure (at least the algorithm still safe)
So, if the payload does not have sensitive data, for example, if upload a picture that suppose to view by public, I use http as endpoint protocol, but when payload has sensitive data, I use https.
My question is: am I take chance here, will expose the key http header cause security breach on my azure storage account (it will also expose the account name), which stored plenty of data and is the core of the whole business.
The HTTPS will be used when you want to secure your data over the internet. The SAS will be used when you want to control who can retrieve the data in a particularly period. To me they are focus on different aspect.
Back to your question, my personal option is, you can set your data (I think it’s BLOB since you mentioned SAS) or container as private, so that it cannot be connected over the internet through HTTP/HTTPS, but only if you are using SDK library inside the azure. Then this would be very secured since there is no public transaction, no key and no account name.
If you do need to expose the BLOBs on the internet, I think the HTTPS should be secured, since even though the account name was in the request, to the hacker it’s almost impossible to them to ‘guess’ your access token. If you want to protect your data for particular user, or pervent them from linked by other website by using your BLOB URL, you can use SAS, which means you grab the SAS for a very sort period (i.e. 3 seconds) and let your website retrieve the data and then it expired. Even the URL was on your site but they cannot be used by others.
Hope this answers your question.