Make images and attachments non-public #468

New Issue

Closed

opened 2026-02-04 20:17:08 +03:00 by OVERLORD · 6 comments

OVERLORD commented 2026-02-04 20:17:08 +03:00

Owner

Copy Link

Originally created by @tuaris on GitHub (Oct 11, 2017).

Desired Feature: Make images and attachments non-public.

Expected Behavior

Images should not be accessible when Bookstack is configured to require login to view content.

My proposed solution (keep in mind I know nothing about Laravel) is to create an image proxy that boots up a minimal version of the application (just enough) to get authentication functional. The image proxy would be used when Bookstack is configured to require login to view content. This would be transparent, meaning it can be enabled and disabled without having to modify existing content. Something (I think) can be achieved with URL re-writing.

Current Behavior

According to https://www.bookstackapp.com/docs/admin/security/ images are publicly accessible (for perfectly valid technical/performance reasons).

A user knowing a URL can view any image/attachment and could result in sensitive information being leaked.

Steps to Reproduce

Configure Bookstack to require login when viewing content, copy the URL of an image, open a new private/incognito browser window. Image is visible.

Originally created by @tuaris on GitHub (Oct 11, 2017). Desired Feature: Make images and attachments non-public. ##### Expected Behavior Images should not be accessible when Bookstack is configured to require login to view content. My proposed solution (keep in mind I know nothing about Laravel) is to create an image proxy that boots up a minimal version of the application (just enough) to get authentication functional. The image proxy would be used when Bookstack is configured to require login to view content. This would be transparent, meaning it can be enabled and disabled without having to modify existing content. Something (I think) can be achieved with URL re-writing. ##### Current Behavior According to https://www.bookstackapp.com/docs/admin/security/ images are publicly accessible (for perfectly valid technical/performance reasons). A user knowing a URL can view any image/attachment and could result in sensitive information being leaked. ##### Steps to Reproduce Configure Bookstack to require login when viewing content, copy the URL of an image, open a new private/incognito browser window. Image is visible.

OVERLORD added the 🛠️ Enhancement☕ Open to discussion labels 2026-02-04 20:17:08 +03:00

OVERLORD closed this issue 2026-02-04 20:17:11 +03:00

OVERLORD commented 2026-02-04 20:17:27 +03:00

Author

Owner

Copy Link

@ssddanbrown commented on GitHub (Jan 12, 2018):

Just to confirm on this, Attachments are handled differently and, as long as your BookStack instance is set-up properly, they should not be publicly-accessible unlike images.

@ssddanbrown commented on GitHub (Jan 12, 2018): Just to confirm on this, Attachments are handled differently and, as long as your BookStack instance is set-up properly, they should not be publicly-accessible unlike images.

OVERLORD commented 2026-02-04 20:17:34 +03:00

Author

Owner

Copy Link

@ssddanbrown commented on GitHub (Jan 13, 2018):

Potential solution started in #665

@ssddanbrown commented on GitHub (Jan 13, 2018): Potential solution started in #665

OVERLORD commented 2026-02-04 20:17:44 +03:00

Author

Owner

Copy Link

@ssddanbrown commented on GitHub (Feb 11, 2018):

Potential solution deployed as part of v0.20.0, Details can be found in blog post:
https://www.bookstackapp.com/blog/beta-release-v0-20-0/

Leaving this open for feedback purposes.

@ssddanbrown commented on GitHub (Feb 11, 2018): Potential solution deployed as part of v0.20.0, Details can be found in blog post: https://www.bookstackapp.com/blog/beta-release-v0-20-0/ Leaving this open for feedback purposes.

OVERLORD commented 2026-02-04 20:17:49 +03:00

Author

Owner

Copy Link

@svarlamov commented on GitHub (Mar 20, 2018):

Is there a plan to have this feature setup with S3 via URL signing/proxy?

@svarlamov commented on GitHub (Mar 20, 2018): Is there a plan to have this feature setup with S3 via URL signing/proxy?

OVERLORD commented 2026-02-04 20:17:52 +03:00

Author

Owner

Copy Link

@ssddanbrown commented on GitHub (Mar 24, 2018):

@svarlamov Not at the moment but feel free to open an issue if that's a feature you want.

@ssddanbrown commented on GitHub (Mar 24, 2018): @svarlamov Not at the moment but feel free to open an issue if that's a feature you want.

OVERLORD commented 2026-02-04 20:18:01 +03:00

Author

Owner

Copy Link

@ssddanbrown commented on GitHub (Mar 24, 2018):

Closing this now that the feature has made release, Feel free to open new issues for any image-auth related problems.

@ssddanbrown commented on GitHub (Mar 24, 2018): Closing this now that the feature has made release, Feel free to open new issues for any image-auth related problems.

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

development

l10n_development

further_theme_development

release

llm_only

vectors

v25-11

docker_env

drawio_rendering

user_permissions

ldap_host_failover

svg_image

prosemirror

captcha_example

fix/video-export

v25.12.3

v25.12.2

v25.12.1

v25.12

v25.11.6

v25.11.5

v25.11.4

v24.11.4

v25.11.3

v25.11.2

v25.11.1

v25.11

v25.07.3

v25.07.2

v25.07.1

v25.07

v25.05.2

v25.05.1

v25.05

v25.02.5

v25.02.4

v25.02.3

v25.02.2

v25.02.1

v25.02

v24.12.1

v24.12

v24.10.3

v24.10.2

v24.10.1

v24.10

v24.05.4

v24.05.3

v24.05.2

v24.05.1

v24.05

v24.02.3

v24.02.2

v24.02.1

v24.02

v23.12.3

v23.12.2

v23.12.1

v23.12

v23.10.4

v23.10.3

v23.10.2

v23.10.1

v23.10

v23.08.3

v23.08.2

v23.08.1

v23.08

v23.06.2

v23.06.1

v23.06

v23.05.2

v23.05.1

v23.05

v23.02.3

v23.02.2

v23.02.1

v23.02

v23.01.1

v23.01

v22.11.1

v22.11

v22.10.2

v22.10.1

v22.10

v22.09.1

v22.09

v22.07.3

v22.07.2

v22.07.1

v22.07

v22.06.2

v22.06.1

v22.06

v22.04.2

v22.04.1

v22.04

v22.03.1

v22.03

v22.02.3

v22.02.2

v22.02.1

v22.02

v21.12.5

v21.12.4

v21.12.3

v21.12.2

v21.12.1

v21.12

v21.11.3

v21.11.2

v21.11.1

v21.11

v21.10.3

v21.10.2

v21.10.1

v21.10

v21.08.6

v21.08.5

v21.08.4

v21.08.3

v21.08.2

v21.08.1

v21.08

v21.05.4

v21.05.3

v21.05.2

v21.05.1

v21.05

v21.04.6

v21.04.5

v21.04.4

v21.04.3

v21.04.2

v21.04.1

v21.04

v0.31.8

v0.31.7

v0.31.6

v0.31.5

v0.31.4

v0.31.3

v0.31.2

v0.31.1

v0.31.0

v0.30.7

v0.30.6

v0.30.5

v0.30.4

v0.30.3

v0.30.2

v0.30.1

v0.30.0

v0.29.3

v0.29.2

v0.29.1

v0.29.0

v0.28.3

v0.28.2

v0.28.1

v0.28.0

v0.27.5

v0.27.4

v0.27.3

v0.27.2

v0.27.1

v0.27

v0.26.4

v0.26.3

v0.26.2

v0.26.1

v0.26.0

v0.25.5

v0.25.4

v0.25.3

v0.25.2

v0.25.1

v0.25.0

v0.24.3

v0.24.2

v0.24.1

v0.24.0

v0.23.2

v0.23.1

v0.23.0

v0.22.0

v0.21.0

v0.20.3

v0.20.2

v0.20.1

v0.20.0

v0.19.0

v0.18.5

v0.18.4

v0.18.3

v0.18.2

v0.18.1

v0.18.0

v0.17.4

v0.17.3

v0.17.2

v0.17.1

v0.17.0

v0.16.3

v0.16.2

v0.16.1

v0.16.0

v0.15.3

v0.15.2

v0.15.1

v0.15.0

v0.14.3

v0.14.2

v0.14.1

v0.14.0

v0.13.1

v0.13.0

v0.12.2

v0.12.1

v0.12.0

v0.11.2

v0.11.1

v0.11.0

v0.10.0

v0.9.3

v0.9.2

v0.9.1

v0.9.0

v0.8.2

v0.8.1

v0.8.0

v0.7.6

v0.7.5

v0.7.4

v0.7.3

0.7.2

v.0.7.1

v0.7.0

v0.6.3

v0.6.2

v0.6.1

v0.6.0

v0.5.0

Labels

Clear labels

🎨 Design

📖 Docs Update

🐛 Bug

🐛 Bug

:cat2:🐈 Possible duplicate

💿 Database

☕ Open to discussion

💻 Front-End

🐕 Support

🚪 Authentication

🌍 Translations

🔌 API Task

🏭 Back-End

⛲ Upstream

🔨 Feature Request

🛠️ Enhancement

🛠️ Enhancement

🛠️ Enhancement

❤️ Happy feedback

🔒 Security

🔍 Pending Validation

💆 UX

📝 WYSIWYG Editor

🌔 Out of scope

🔩 API Request

:octocat: Admin/Meta

🖌️ View Customization

❓ Question

🚀 Priority

🛡️ Blocked

🚚 Export System

♿ A11y

🔧 Maintenance

> Markdown Editor

No Label ☕ Open to discussion 🛠️ Enhancement

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

OVERLORD

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/BookStack#468