Documentation

• Welcome
• FileRun homepage
• Changelog
• Get notified about updates
• Contact us

Install

• Requirements
• Install guides
• PHP configuration
• PHP compatibility/upgrade
• Troubleshooting
• Reverse proxies
• Securing FileRun
• Server optimization

Configure

• Setting the time zone
• Enabling thumbnails and preview
• Troubleshooting thumbnails
• E-mail notification system
• File preview options
• File indexing
• Authentication integration
• 2FA - 2-step verification
• Google editor integration
• Advanced configuration

Customize

• File plugins
• Translating FileRun
• Custom CSS
• Custom event scripts

Feature Information

• Screenshot sharing
• File searching
• Desktop sync
• Metadata
• Mobile apps
• File-based activity logs
• WebDAV

The API

• Introduction
• API Methods

Maintenance

• Resetting the superuser password
• Updating FileRun
• Backing up the installation
• Changing MySQL connection information
• Deleting old user files
• Migrating to another server
• Command line tools

• Securing the FileRun installation

Securing the FileRun installation🔗

Once you have FileRun running, it is strongly recommended following these steps in order to secure it:

• Make sure all the user folders are outside the public area of your HTTP server!
• Configure your HTTP server to block access to .php files inside the /apps folder. FileRun applies a .htaccess file for Apache and a web.config file for ISS. For NGINX, see the file /apps/security.nginx on suggested configuration that you will need to set in your NGINX configuration.
  • Test to make sure .php files are not accessible via the web server.
• Configure your HTTP server to block access to the folder /system. FileRun applies a .htaccess file for Apache and a web.config file for ISS. For NGINX, see the file /apps/security.nginx on suggested configuration that you will need to set in your NGINX configuration.
  • Test to make sure the folder is not accessible via the web server.
• The default user account, superuser, is the only account not protected against brute force login attacks, so it is very important that you set a password that cannot be guessed by a computer. Set a long password, containing also uppercase letters, digits and symbols.
• Don't use FileRun (or any website) via unencrypted HTTP!
• Make sure session.cookie_httponly is set to On, in your server's PHP configuration file, for increased security against cross-site-scripting attacks. * Update the configured MySQL user account and remove the ALTER and DROP privileges. (You might need to add these back before installing any FileRun update.)
• If you are on a shared hosting service, make sure the permissions of the FileRun application files do not allow PHP (or any other web server application) to make changes to them. Make an exception for the system/data folder and its contents, where FileRun needs to be able to make changes.
• Make sure display_errors is set to Off, in your server's PHP configuration file. * Register your FileRun installation, from the control panel, under Software licensing, to be able to keep the installation secure and up to date!
• Do not expose the MySQL database to the Internet. Do not leave the MYSQL root account without a password. Disable it's remote root access.

When using Docker, try to avoid using unofficial images.