Security - Policies & Signatures

Filestack allows multiple ways to make sure that your files are exactly as secure as you want them. You can use security parameters with your Filepicker, FileLinks, file conversions, and any of our SDKs.

Filestack security measures are handled using a JSON that includes two things: Policy and Signature.

Policy

The Policy states which operations can be performed with the feature of the API that is being used. Policies include an expiration and optional permissions.

This means that you can create a policy that is only valid for a specific time and function.

Signature

The Signature uses a unique HMAC encoded string that is generated with your secret key and the Policy to identify the origin of the request.

Do not share your secret key or expose it in your client side code.

Filestack Security Tools

You can enforce the use of security with your API as well as create policies and signatures in your Developer Portal.

Screencast showing creation of policy in Filestack Developer Portal

You MUST take steps to generate policies and signatures before turning on security.

When security is turned on, the API will not accept any requests without the correct parameters.

Using Security with Filestack

Security can be used in the following ways:

Pass Security into your Filepicker

To use Signature and Policy with your Filepicker, you will need to pass the created JSON into the init function along with your API key.

const apikey = "Your_API_Key";
const security = {policy: "YourPolicy",signature: "YourHMACSignature"};
const client = filestack.init(apikey, security);

If you turn on security in your developer portal, but do not pass it with the init function, users will see this:

Screenshot showing Filepicker not opening due to security

Add security to your FileLink

Signature and policy can be added to filelinks in order to protect the delivery of your uploads.

Filelink before security:

https://www.filestackapi.com/api/file/KW9EJhYtS6y48Whm2S6D

Filelink with security:

https://www.filestackapi.com/api/file/KW9EJhYtS6y48Whm2S6D?signature=4098f262b9dba23e4766ce127353aaf4f37fde0fd726d164d944e031fd862c18& policy=eyJoYW5kbGUiOiJLVzlFSmhZdFM2eTQ4V2htMlM2RCIsImV4cGlyeSI6MTUwODE0MTUwNH0=

Conversion Filelink before security:

https://process.filestackapi.com/resize=width:500,height:500/2h25ZGRHTfmQ2DBEt3yR

Conversion Filelink with security:

https://process.filestackapi.com/resize=width:500,height:500/2h25ZGRHTfmQ2DBEt3y? signature=4098f262b9dba23e4766ce127353aaf4f37fde0fd726d164d944e031fd862c18 &policy=eyJoYW5kbGUiOiJLVzlFSmhZdFM2eTQ4V2htMlM2RCIsImV4cGlyeSI6MTUwODE0MTUwNH0=

Add security to your File Viewer

You can specify policy and signature in the html div calling your viewer by using

data-fp-policy and data-fp-signature.

<div type="filepicker-preview" data-fp-url="https://www.filestackapi.com/api/file/7cSeLSlZSmCk3k8CQtAv" style="width:75%; height:500px"></div>