File Security¶
To protect the system from unwanted or malicious files, all uploaded files go through a series of validation and security checks. These checks ensure that only safe and compliant files are processed.
Validation Steps¶
Uploaded files are validated through the following steps:
-
File size check
- Verifies that the uploaded file does not exceed the maximum allowed size
- Prevents denial-of-service attempts caused by overly large files
-
File name length check
- Verifies that the file name is within acceptable length limits
- Prevents issues with excessively long file names that may cause storage or display problems
-
File extension check
- Verifies that the file extension is included in the system's list of allowed extensions
- Prevents execution or upload of disallowed file types
-
File content verification
- Verifies that the internal content of the file matches the declared extension
- Prevents files disguised with misleading extensions (e.g., a script renamed as a
.jpg
) - Requires proper configuration to function
- Only available in cloud environments
-
Anti-malware scanning
- Verifies that the file does not contain viruses, trojans, or other malicious payloads
- Uses the configured anti-malware solution to scan the file
- Requires proper configuration to function
It is strongly recommended to make sure all of these checks are enabled to ensure comprehensive protection.
Configuration¶
File extension check¶
Available in: Lime Admin > System > Files > Security
> Allowed file extensions
When performing the File extension check, the system compares each uploaded file's extension against this list, enabling administrators to manage which file types are allowed.
If the allowlist is left empty, the system falls back to the default allowlist defined in the service configuration. If no default allowlist is defined, all file extensions are allowed.
Warning
Leaving the allowlist empty without a system default means that any file extension can be uploaded, which may expose the system to unwanted or malicious files.
To maintain security, it is strongly recommended to explicitly configure the allowlist.
Configuring the default allowlist¶
The default allowlist for file extensions is configured at the service level and applies when no application-specific allowlist is set in Lime Admin.
The configuration follows the same format as when performed from Lime Admin:
- Extensions are defined without leading dots,
txt
instead of.txt
- Supports extensions with multiple segments, e.g.
tar.gz
Configuration Methods:
For Lime Cloud environments, the service configuration is managed through the Cloud Admin tool:
- Navigate to your Application Cluster's Overview tab
- Locate the Service Configuration (json) section
-
Locate (or add) the
file.security
section: -
Add or modify the
extension_allowlist
array - Apply the configuration changes
For on-premise installations, update the service configuration file:
Best Practices:
- Include only the file extensions that are actually needed for your business processes
- Regularly review and update the allowlist based on security requirements
- Consider the security implications of each file type before adding it to the list
- Test the configuration after changes to ensure it works as expected
Tip
Start with a restrictive list and add extensions as needed rather than starting with a permissive list and removing extensions later.
File content verification¶
Note
This section applies only if File content verification is enabled and properly configured.
Available in: Lime Admin > System > Files > Security
> File content check
When performing File content verification, the system examines the contents of an uploaded file to determine its type and check that it matches the file's extension. If the type is not recognized, administrators can provide additional mappings between file types (MIME types) and extensions.
Validate File¶
Available in: Lime Admin > System > Files > Security
The system includes a Validate File tool that lets you test an uploaded file against the current file security settings. Each file is checked using the configured validation steps.
Once the validation is complete, the system presents a step-by-step summary showing whether each check passed, failed, or was skipped.
If a file fails a check, the interface may offer possible actions to update the settings. These are only available for specific validation steps and allow administrators to adjust security settings when needed to accept the file.
Note
The File size check is enforced in the web client and at the web server level (nginx) and is therefore not included in the file validation summary.