Secure File Serving

This document outlines the steps to enable secure file serving in Baserow, a feature that allows the backend to serve files directly without needing another web server. This capability introduces several benefits, including the ability to set expiration times for file links and enforce access controls based on user authentication and workspace membership. However, it’s important to weigh these benefits against potential performance costs and other considerations.

Note that this is an enterprise feature.

Configuration

To enable secure file serving, you must configure the following environment variables in your Baserow instance:

  1. BASEROW_SERVE_FILES_THROUGH_BACKEND: Set this variable to true to activate backend file serving. This feature is disabled by default. Note that enabling this setting does not automatically secure your storage server against unauthorized access. You should take additional security measures if your storage server serves files publicly.

  2. BASEROW_SERVE_FILES_THROUGH_BACKEND_PERMISSION: This variable controls access permissions for downloading files. The default setting, DISABLED, allows anyone to download files. To restrict downloads to signed-in users, set this to SIGNED_IN. For tighter control, where only users with workspace access can download files, use WORKSPACE_ACCESS.

  3. BASEROW_SERVE_FILES_THROUGH_BACKEND_EXPIRE_SECONDS: Use this variable to set an expiration time for file links, specified in seconds. Unset, or set this to a non-positive integer, makes file links permanent. Setting a positive integer will make the link expire after the specified duration, enhancing security by preventing outdated link access.

Benefits

  • Enhanced Security: Direct backend serving of files allows for more granular control over who can access files and when.
  • Expiration Times: Ability to set expiration times for file links, reducing the risk of unauthorized access to files over time.
  • Access Control: Ensures that files can only be downloaded by users who are either logged in or have specific workspace access, based on your configuration.

Considerations

  • Performance Cost: Serving files through the backend can introduce a performance overhead. It may necessitate deploying additional backend (asgi or wsgi) workers to maintain fast response times.
  • Enterprise License Required: This feature requires a valid enterprise license to activate.
  • Domain Restrictions for Cookie-Based Authentication: If using cookie-based user checks, the Baserow instance must be on the same domain or subdomains as the frontend. Cross-domain setups will not support this authentication method.
  • User Re-authentication: Users must sign in again after this feature is enabled to ensure proper access control.
  • Publicly Shared Files: Depending on the configured permission level, files that are publicly shared through applications, views, or APIs may become inaccessible.

Steps to Enable

  1. Ensure you have a valid enterprise license for Baserow.
  2. Configure the environment variables as described in the Configuration section above.
  3. If your files were previously served directly from a storage service like S3, adjust your storage service settings to ensure files are no longer publicly accessible. Baserow will now handle file serving.
  4. Consider the performance implications and plan for additional backend workers if necessary.
  5. Inform users that they may need to sign in again to access files after these changes.

By following these steps and considerations, you can securely serve files through Baserow, enhancing the security and control over file access within your organization.

Monitoring your Baserow server Backend API