Documentation

• Welcome
• User guide
• Admin guide
• FileRun homepage
• Changelog
• Contact us

Install

• Requirements
• Install guides
• PHP configuration
• PHP compatibility/upgrade
• Troubleshooting
• Reverse proxies
• Securing FileRun
• Server optimization

Configure

• Setting the time zone
• Enabling thumbnails and preview
• Troubleshooting thumbnails
• E-mail notification system
• File preview options
• File indexing
• Authentication integration
• 2FA - 2-step verification
• Google editor integration
• Advanced configuration

Customize

• File plugins
• Translating FileRun
• Custom CSS
• Custom event scripts

Feature Information

• Screenshot sharing
• File searching
• Desktop sync
• Metadata
• Mobile apps
• File-based activity logs
• WebDAV

The API

• Introduction
• File paths
• API Methods

Maintenance

• Resetting the superuser password
• Updating FileRun
• Backing up the installation
• Changing MySQL connection information
• Deleting old user files
• Migrating to another server
• Command line tools

• Securing the FileRun installation

Securing the FileRun installation🔗

Once you have FileRun running, it is strongly recommended following these steps in order to secure it:

• Make sure all the user folders are outside the public area of your HTTP server!
• Configure your HTTP server to block access to .php files inside the /apps folder. FileRun applies a .htaccess file for Apache and a web.config file for ISS. For NGINX, see the file /apps/security.nginx on suggested configuration that you will need to set in your NGINX configuration.
  • Test to make sure .php files are not accessible via the web server.
• Configure your HTTP server to block access to the folder /system. FileRun applies a .htaccess file for Apache and a web.config file for ISS. For NGINX, see the file /apps/security.nginx on suggested configuration that you will need to set in your NGINX configuration.
  • Test to make sure the folder is not accessible via the web server.
• The default user account, superuser, is the only account not protected against brute force login attacks, so it is very important that you set a password that cannot be guessed by a computer. Set a long password, containing also uppercase letters, digits and symbols.
• Don't use FileRun (or any website) via unencrypted HTTP!
• Make sure session.cookie_httponly is set to On, in your server's PHP configuration file, for increased security against cross-site-scripting attacks. Update the configured MySQL user account and remove the ALTER and DROP privileges.
• Make sure the permissions of the FileRun application files do not allow PHP (or any other system user) to make changes to them. Make an exception for the system/data folder and its contents, where FileRun needs to be able to make changes.
• Make sure display_errors is set to Off, in your server's PHP configuration file.
• Do not expose the MySQL/MariaDB database server to the Internet. Do not leave the root account without a password.

When using Docker, use only an official FileRun Docker image.