Should we switch to STORAGE_TYPE=local_secure in .env?

luckow

The default configuration of BookStack does not secure uploads. If attackers knows the exact URL, they are able to download the file without authentication. That's the default in Cloudrons .env configuration.
With STORAGE_TYPE=local_secure in the .env file every upload goes to storage/uploads/images.
A migration to this new behavior is possible, but it cost lifetime. More info about the security settings -> bookstackapp.com/docs/admin/security/#securing-images

What is your opinion on this topic?

girish

@luckow I think the feature is still "experimental" per the docs - This solution is currently still in testing you could experience performance issues.

The second solution listed in the section suggests enabling "Enable higher security image uploads". I can confirm that option works. Since, we enable .htaccess in the apache configs, directory indexes are disabled as well.

I think if people still want local_secure, they can always fix up env as required but there's probably a reason that the upstream does not use this as the default.