User Uploads Directory Security #467
kiwidood
started this conversation in
Feature Requests
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
The User Uploads directory by default does not require authentication via the backend. To secure it currently, directory indexing needs to be disabled and the directory would need to be IP whitelisted/password protected.
It would be good if there was a security warning on the file uploads section regarding how the files are stored and the security implications.
Some ideas would be:
Append a random string to the end of the user uploaded file name (easiest)
Store the uploaded files in a not publicly accessible directory and serve them via PHP
Store the uploaded files in the database and serve via PHP
Each of these options have their pros/cons, but would certainly be better than things currently are for security.
Beta Was this translation helpful? Give feedback.
All reactions