filebrowser/www/docs/deployment.md
Henrique Dias 1fb05d65de
docs,cmd: warn about broad scope for self-signup users (GHSA-6759-996p-gpj6)
When Signup is enabled with the default scope and createUserDir off, every
self-registered user inherits the served root and can read/modify/delete all
files. Add a startup WARNING for this configuration and document the risk and
the --createUserDir mitigation. No behavior or default change.
2026-06-27 08:18:18 +02:00

1.6 KiB

Self-Registration (Signup)

File Browser allows you to enable user self-registration (signup). This can be enabled via Settings → Global Settings, or with filebrowser config set --signup. Self-registered users inherit the configured user defaults, including the scope.

Warning

By default, the user scope is the server's root, so a self-registered user could read, modify, and delete every file File Browser serves. To prevent this, either:

a. Enable createUserDir so each user gets their own directory; or b. If users are meant to share files, set the default scope to something other than the root.

Fail2ban

File Browser does not natively support protection against brute force attacks. Therefore, we suggest using something like fail2ban, which takes care of that by tracking the logs of your File Browser instance. For more information on how fail2ban works, please refer to their wiki.

Filter Configuration

An example filter configuration targeted at matching File Browser's logs.

[INCLUDES]
before = common.conf

[Definition]
datepattern = `^%%Y\/%%m\/%%d %%H:%%M:%%S`
failregex   = `\/api\/login: 403 <HOST> *`

Jail Configuration

An example jail configuration. You should fill it with the path of the logs of File Browser, as well as the port where it is running at.

[filebrowser]

enabled = true
port = [your_port]
filter = filebrowser
logpath = [your_log_path]
maxretry = 10
bantime = 10m
findtime = 10m
banaction = iptables-allports
banaction_allports = iptables-allports