Due to the API Key being able to be set within the client of your application, users are recommended to utilize Filestack’s Security options to secure your assets from potential abuse.  You can keep this information secured by applying Filestack security to your account or any actions that are taken using your API Key.  Our security can be separated into two main pieces, Filestack Policies, and Filestack Domain Whitelisting. 

Filestack Security Policies have two main components, the policy, and signature.  The Filestack Security Policy is a a set of permissions that can be imparted by the developer to a user, while the signature is the result of running an HMAC algorithm against your APP secret.  To use security, you will first need to activate it within your developer portal, this can be turned on within your security section of the API Key you would like to work with.  After doing so, you will need to create the appropriate JSON for the permission you wish to provide to your users, and convert it to a base64 string, the syntax for which can be seen in our documentation here: https://www.filestack.com/docs/security/creating-policies  After this, you will need to generate a signature which is added to your policy when either viewing or manipulating files, from here you will need to know how to properly include your signature when working with files.  As an example, to view a file I would need to use the syntax of: cdn.filestackcontent.com/yourHandle?policy=yourBase64Policy&signature=yourSignature making sure to exchange yourBase64Policy for your policy and yourSignature for the correct signature.  To manipulate your files, you will be required to enter these values into a security task, as shown in the following example: process.filestackapi.com/output=format:pdf/security=policy:yourBase64Policy,signature=yourSignature/yourHandle

Viewing and manipulating files is half of working with them however, and you will still need to properly instantiate the client using your policy and signature.  To do this, you would need to add a security object after your API Key has been entered- like in the following example:

const client = filestack.init(“Your_API_Key”, {policy:”yourBase64Policy”,signature:”yourSignature”});

Adding the security object in this way allows any methods run from the client after instantiation to intake the security parameters/permissions you added to your policy.  Certain permissions require security enabled in order to be used, such as the remove parameter, or the exif parameter- this is due to the security reason of requiring account ownership prior to deleting files, or accessing private information that is often within the exif data of a file.

While our policies prevent unauthorized access to files or actions regarding them from users attempting to use your API Key- you can also secure what domains your API Key can be utilized on by working with our Domain Whitelisting within our developer portal.  Just as before, this can be turned on and off as you need- and is controlled primarily through the use of a regular expression stating which sites you would like to whitelist as ‘safe’ or ‘secure’ for use with the API.  You can also authorize the use of localhost if you require the ability to test locally prior to pushing to development/production environments.  The regex expressions and syntax you can use for this are further detailed here: https://www.filestack.com/docs/whitelisted-domains

Did this answer your question?