diff --git a/config/blobs.yml b/config/blobs.yml
index 6c664f40f0..76284b8987 100644
--- a/config/blobs.yml
+++ b/config/blobs.yml
@@ -86,6 +86,10 @@ nginx/nginx-upload-module-2.3.0.tar.gz:
   size: 40139
   object_id: 2f8f59a7-8e90-4bf5-67d8-1637924ab331
   sha: sha256:c86e318addb9c88d70fdbd58ff1f6ef6f404a93070f6db8017a1f880c97946c4
+nginx/ngx_http_hmac_secure_link_module-0.3.tar.gz:
+  size: 5452
+  object_id: ede41169-975a-4873-5a9e-d2d1aac3e865
+  sha: sha256:0d4a69f39b513a3427f5fb41a7503844e703395ca04517d0a55400e4a3150927
 nginx/pcre-8.45.tar.gz:
   size: 2096552
   object_id: a90f9f20-e23b-4755-59c7-101197325dab
diff --git a/jobs/blobstore/templates/blobstore.conf.erb b/jobs/blobstore/templates/blobstore.conf.erb
index 4f8b8cc28f..4c72f0d509 100644
--- a/jobs/blobstore/templates/blobstore.conf.erb
+++ b/jobs/blobstore/templates/blobstore.conf.erb
@@ -67,6 +67,29 @@ server {
     proxy_pass http://blob_url_signer;
   }
 
+  # SHA256 HMAC signed URLs (storage-cli compatible)
+  location ~ ^/signed/(?<blob_path>.+)$ {
+    if ( $request_method !~ ^(GET|HEAD|PUT)$ ) {
+      return 405;
+    }
+
+    # Enable PUT for uploads
+    dav_methods PUT;
+    create_full_put_path on;
+
+    # SHA256 HMAC signature verification
+    secure_link_hmac $arg_st,$arg_ts,$arg_e;
+    secure_link_hmac_secret <%= p('blobstore.secure_link.secret') %>;
+    secure_link_hmac_message $request_method$blob_path$arg_ts$arg_e;
+    secure_link_hmac_algorithm sha256;
+
+    if ($secure_link_hmac != "1") {
+      return 403;
+    }
+
+    alias /var/vcap/store/shared/$blob_path;
+  }
+
   # ensure the contents of this location block always match the public server /read/ location block
   location /read/ {
     if ( $request_method !~ ^(GET|HEAD)$ ) {
@@ -125,6 +148,29 @@ server {
   access_log /var/vcap/sys/log/blobstore/public_access.log;
   error_log  /var/vcap/sys/log/blobstore/public_error.log;
 
+  # SHA256 HMAC signed URLs (storage-cli compatible)
+  location ~ ^/signed/(?<blob_path>.+)$ {
+    if ( $request_method !~ ^(GET|HEAD|PUT)$ ) {
+      return 405;
+    }
+
+    # Enable PUT for uploads
+    dav_methods PUT;
+    create_full_put_path on;
+
+    # SHA256 HMAC signature verification
+    secure_link_hmac $arg_st,$arg_ts,$arg_e;
+    secure_link_hmac_secret <%= p('blobstore.secure_link.secret') %>;
+    secure_link_hmac_message $request_method$blob_path$arg_ts$arg_e;
+    secure_link_hmac_algorithm sha256;
+
+    if ($secure_link_hmac != "1") {
+      return 403;
+    }
+
+    alias /var/vcap/store/shared/$blob_path;
+  }
+
   # ensure the contents of this location block always match the internal server /read/ location block
   location /read/ {
     if ( $request_method !~ ^(GET|HEAD)$ ) {
@@ -188,6 +234,29 @@ server {
   access_log /var/vcap/sys/log/blobstore/public_access.log;
   error_log  /var/vcap/sys/log/blobstore/public_error.log;
 
+  # SHA256 HMAC signed URLs (storage-cli compatible)
+  location ~ ^/signed/(?<blob_path>.+)$ {
+    if ( $request_method !~ ^(GET|HEAD|PUT)$ ) {
+      return 405;
+    }
+
+    # Enable PUT for uploads
+    dav_methods PUT;
+    create_full_put_path on;
+
+    # SHA256 HMAC signature verification
+    secure_link_hmac $arg_st,$arg_ts,$arg_e;
+    secure_link_hmac_secret <%= p('blobstore.secure_link.secret') %>;
+    secure_link_hmac_message $request_method$blob_path$arg_ts$arg_e;
+    secure_link_hmac_algorithm sha256;
+
+    if ($secure_link_hmac != "1") {
+      return 403;
+    }
+
+    alias /var/vcap/store/shared/$blob_path;
+  }
+
   # ensure the contents of this location block always match the internal server /read/ location block
   location /read/ {
     if ( $request_method !~ ^(GET|HEAD)$ ) {
diff --git a/packages/nginx_webdav/packaging b/packages/nginx_webdav/packaging
index 2aacdc9446..a7d943f597 100644
--- a/packages/nginx_webdav/packaging
+++ b/packages/nginx_webdav/packaging
@@ -1,4 +1,5 @@
 set -e -x
+# enable secure_link_hmac (SHA256 signed URLs)
 
 echo "Extracting expat..."
 tar xvf expat/expat-2.5.0.tar.bz2
@@ -20,6 +21,9 @@ tar xzvf nginx/nginx-1.30.2.tar.gz
 echo "Extracting webdav extensions"
 tar xzvf nginx/nginx-dav-ext-module-3.0.0.tar.gz
 
+echo "Extracting HMAC secure link module"
+tar xzvf nginx/ngx_http_hmac_secure_link_module-0.3.tar.gz
+
 sed -i 's@"nginx/"@"-/"@g' nginx-1.30.2/src/core/nginx.h
 sed -i 's@r->headers_out.server == NULL@0@g' nginx-1.30.2/src/http/ngx_http_header_filter_module.c
 sed -i 's@r->headers_out.server == NULL@0@g' nginx-1.30.2/src/http/v2/ngx_http_v2_filter_module.c
@@ -35,7 +39,8 @@ pushd nginx-1.30.2
     --with-http_dav_module \
     --with-http_secure_link_module \
     --with-http_ssl_module \
-    --add-module=../nginx-dav-ext-module-3.0.0
+    --add-module=../nginx-dav-ext-module-3.0.0 \
+    --add-module=../ngx_http_hmac_secure_link_module-0.3
 
   make
   make install
diff --git a/packages/nginx_webdav/spec b/packages/nginx_webdav/spec
index 13e70936b6..553763eb26 100644
--- a/packages/nginx_webdav/spec
+++ b/packages/nginx_webdav/spec
@@ -5,3 +5,4 @@ files:
   - nginx/nginx-1.30.2.tar.gz
   - nginx/pcre-8.45.tar.gz
   - nginx/nginx-dav-ext-module-3.0.0.tar.gz
+  - nginx/ngx_http_hmac_secure_link_module-0.3.tar.gz