Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


    Cloudron Forum

    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular

    Should we switch to STORAGE_TYPE=local_secure in .env?

    BookStack
    2
    2
    209
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • luckow
      luckow translator last edited by girish

      The default configuration of BookStack does not secure uploads. If attackers knows the exact URL, they are able to download the file without authentication. That's the default in Cloudrons .env configuration.
      With STORAGE_TYPE=local_secure in the .env file every upload goes to storage/uploads/images.
      A migration to this new behavior is possible, but it cost lifetime. More info about the security settings -> bookstackapp.com/docs/admin/security/#securing-images

      What is your opinion on this topic?

      Pronouns: he/him | Primary language: German

      girish 1 Reply Last reply Reply Quote 1
      • girish
        girish Staff @luckow last edited by

        @luckow I think the feature is still "experimental" per the docs - This solution is currently still in testing you could experience performance issues.

        The second solution listed in the section suggests enabling "Enable higher security image uploads". I can confirm that option works. Since, we enable .htaccess in the apache configs, directory indexes are disabled as well.

        I think if people still want local_secure, they can always fix up env as required but there's probably a reason that the upstream does not use this as the default.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Powered by NodeBB