Should we switch to STORAGE_TYPE=local_secure in .env?
-
The default configuration of BookStack does not secure uploads. If attackers knows the exact URL, they are able to download the file without authentication. That's the default in Cloudrons .env configuration.
WithSTORAGE_TYPE=local_securein the.envfile every upload goes tostorage/uploads/images.
A migration to this new behavior is possible, but it cost lifetime. More info about the security settings -> bookstackapp.com/docs/admin/security/#securing-imagesWhat is your opinion on this topic?
Pronouns: he/him | Primary language: German
-
The default configuration of BookStack does not secure uploads. If attackers knows the exact URL, they are able to download the file without authentication. That's the default in Cloudrons .env configuration.
WithSTORAGE_TYPE=local_securein the.envfile every upload goes tostorage/uploads/images.
A migration to this new behavior is possible, but it cost lifetime. More info about the security settings -> bookstackapp.com/docs/admin/security/#securing-imagesWhat is your opinion on this topic?
@luckow I think the feature is still "experimental" per the docs -
This solution is currently still in testing you could experience performance issues.The second solution listed in the section suggests enabling "Enable higher security image uploads". I can confirm that option works. Since, we enable .htaccess in the apache configs, directory indexes are disabled as well.
I think if people still want local_secure, they can always fix up env as required but there's probably a reason that the upstream does not use this as the default.
