Security Policy Creation

Policies can be created for your unique use case.

You can create policies with exact parameters in the Developer Portal, or on your own server.

You can choose the expiration time as well as the specific permissions that can be completed in each call to the API.

Security Policy JSON

In your developer portal your secret key is added to your chosen timestamp and any optional permissions you wish to use.

Short lived policies are best because they reduce the likelihood of abuse by outside parties.

Screenshot showing Filestack security developer portal

You can create a general policy, or you can specify the exact File Handle to apply an individual policy

Screenshot showing Filestack security developer portal

Security Policy Parameters

Required Inputs

expiry Integer

'expiry': epoch_timestamp

The expiration date for the policy. Expiry is an integer calculated using the Unix epoch (number of seconds that have elapsed since January 1, 1970).

Optional Inputs

Call Array

'call': ['permission_name']

The calls that you allow this policy to make. This can be one or many of the following strings in an array:

  • pick - (allows users to upload files)
  • read - (allows files to be viewed/accessed)
  • stat - (allows metadata about files to be retrieved)
  • write - (allows use of the write function)
  • store - (allows files to be written to custom storage)
  • convert - (allows transformation (crop, resize, rotate) of files, also needed for the viewer)
  • remove - (allows removal of Filestack files)
  • exif - (allows exif metadata to be accessed)

A policy without the the call permission specified is permitted to make all calls except for exif, which needs to be explicitly included in a policy in order to be allowed.

Handle String

'handle': 'Filstack_handle'

The unique file handle that you would like to access. All Filestack FileLinks are based on the file handle.

https://www.filestackapi.com/api/file/KW9EJhYtS6y48Whm2S6D has a handle of KW9EJhYtS6y48Whm2S6D

This is for all calls that act on a specific handle.

Pick does not apply when using a handle. The file already exists in the Filestack Infrastructure.

URL String

'url': 'regular_expression'

You can use security to create a subset of URL domains that are allowed to be sources for Filestack transformations. The url parameter only applies to transformations. It does not apply to launching the picker. The URL parameter uses regular expressions to check source domains. The following is an example of a policy that restricts conversion requests to urls from wikimedia.

{'expiry':1577836800,'call':['convert'],'url':'https://upload\.wikimedia\.org/wikipedia/.*'}

Max Size Integer

'maxSize': 1024*1024

The maximum file size in bytes that can be stored by your request. This only applies to local uploads using the store command. No default limit is set.

Min Size Integer

'minSize': 0

The minimum file size that can be stored by your request. This only applies to local uploads using the store command. Together with maxSize, this forms a range. The value of minSize should be smaller than maxSize. Default minimum upload is 0 bytes.

Path String

'path': 'regular_expression'

The path parameter prevents a user from storing files to paths that are different than what is set in the policy. The path must match the storage call exactly. If you specify'path':'/something/new/'and the call directs to'path':'/something/else'the storage call will be rejected. Path has no default set and will allow any storage path unless one is specified('path': '.*')

Container String

'container': 'regular_expression'

The container parameter prevents a user from storing files to containers that are different than what is defined in the policy. This will not prevent a person from reading content from different containers. Read access should be managed by using policies that are handle specific. Container has no default set and will allow any storage container specified in the call unless one is specified('container': '.*')