Security Overview

The Filestack files framework is designed to be powerful and easy to use. Protecting your data as well as data of our users is a top concern of ours. Here, we'll talk about how security works at Filestack and additional steps that you can take to be even more cautious.

Since javascript is run client side, options like the max file size can be modified by your users. Filestack allows you to control this in two ways.

Use without server side code

You can set the maximum file size allowed in your developer portal (in the security section) to prevent users from tampering with the values. This means that regardless of what the client says the max size is, Filestack will not allow a file larger then the value in your developer portal.

Use with server-side code

Using Filestack security policies, you can specify what actions are permitted and grant appropriate access to your users.

This scheme is based on secret key security where Filestack and you have a shared secret that you can access in your developer portal. Do not share this key. Do not store this secret key in the client. Having access to this secret is what identifies you and validates your policies.

The policies define what the user can and cannot do. Filestack's policies are time based and require an expiration date. This means that the same policy can be used mutliple times. It allows for interesting use cases. For example, if you want people to be able to read your Filestack file urls, but not write to them, you can create a policy that only includes the read permission and expires in 100 years. It does mean that you should also be careful about how you distribute your policies as they can be reused. If you do not wish them to be reused, setting a short expiration period with appropriate permissions will partly address this concern.

Once you enable securiy in your account all requests will require a valid policy and signature. If you are utilizing the REST API, there is another method to validate your requests that does not require a policy and signature, but that the request be accompanied by the secret key that you would use to generate a valid policy and signature. This secret key can be found in your developer portal.