Security settings
Secure uploading
Signed uploading is a recommended practice if you want to control who can upload files to your application. To enable signed uploads, generate a signature and an expiration date as a timestamp on your backend.
To prepare a function that returns the necessary data, follow the instructions provided in the signed uploads guide.
Once you have generated the signature and expiration date, add the following parameters to the File Uploader in your application:
<lr-file-uploader-regular
css-src="https://unpkg.com/@uploadcare/blocks@0.22.8/web/file-uploader-regular.min.css"
class="uploader-cfg"
id="uploader"
>
</lr-file-uploader-regular>htmlconst uploader = document.querySelector('#uploader');
uploader.style.setProperty ('--cfg-secure-signature', `"${signature}"`);
uploader.style.setProperty ('--cfg-secure-expire', `"${expire}"`);javascriptIt is important to enclose the signature and expiration date within double quotes.
We recommend using the setProperty method to set the --cfg-secure-signature
and --cfg-secure-expire parameters as it prevents the caching of sensitive
data.
Secure delivery proxy
The --cfg-secure-delivery-proxy parameter can be used with
signed URLs. Defines template
for your proxy backend URL.
Value for --cfg-secure-delivery-proxy is a string template with the following
variables:
previewUrl
That means that you can use {{previewUrl}} in your template to insert the URL
of a file to proxify.
.my-configuration {
--cfg-secure-delivery-proxy: 'https://domain.com/preview?url={{previewUrl}}';
}cssCSP settings
If the application works with sensitive user data (e.g. personal photos), we
recommend increasing its security with CSP settings.
File Uploader uses Blob URLs for on-the-flight generated images and the
stylesheets in some cases, so don't forget to add blob: source into the CSP
settings:
<meta
http-equiv="Content-Security-Policy"
content="style-src 'self' blob:; script-src 'self'; img-src 'self' https://ucarecdn.com blob:;"
/>html