Security Settings achieves its best-in-class security by providing customers with a file server platform that is tuned for maximum security out of the box, with no manual configuration necessary. This means that things like strong encryption enforcement, brute force protection, and IP address pinning for web sessions come built-in and enabled by default.

We also realize that every organization has unique security requirements, so we give site administrators full control over these security features, allowing you to fine-tune your site settings to meet your needs.


Plain/unencrypted FTP Support

By default, will reject FTP connections to your site that do not use secure encryption. If you need to support very old devices or clients of the FTP protocol, you can use the global setting, found at Settings > Integrations > Transfer Protocols > Plain/unencrypted FTP Support, to allow unencrypted FTP connections (port 21 without SSL).

You can also allow unencrypted FTP connections on a per individual user basis via the Plain/unencrypted FTP Support user setting, found at Settings > Users > selected user account > Other connections > Plain/unencrypted FTP Support.

Note:Allowing unencrypted connections is dangerous because it will cause passwords and file contents to be transmitted across networks in clear text.

Default: Require SSL on all FTP connections (recommended)

HTTPS, FTPS, and SFTP ciphers

Navigate to Settings > Integrations > Transfer Protocols > HTTPS, FTPS, and SFTP ciphers. This setting allows compatibility with old browsers and old SFTP/FTP clients by allowing SSLv3, TLSv1.0, SHA1, and other ciphers that are known to be insecure but required by older versions of clients.

Note: Enabling this option is dangerous because an uninformed user of your site might think that they are using secure encryption when they are actually using encryption that is broken. You should treat all connections to your site as if they are fully insecure if you use this option.

SFTP ciphers

Key Exchange






The following insecure SFTP ciphers are supported only when allowing connections with insecure ciphers.

Key Exchange






Default: Only allow connections with secure, contemporary ciphers (recommended)

IP Whitelisting

Site-wide IP whitelist

The setting found at Settings > Users > User Settings > IP whitelist allows you to limit which IP addresses your users are allowed to connect from. List allowed IPs, one per line. You may specify a range in CIDR format, such as

If you have also set up user-specific IP whitelists, users connecting from an IP address matching in either whitelist will be allowed to log in.

User-specific IP whitelist

You can manage IP whitelisting for individual users via the IP whitelist user setting, found at Settings > Users > selected user account > Authentication > IP whitelist. If you are also using a site-wide IP whitelist, users connecting from an IP address matching in either whitelist will be allowed to log in.

Advanced Security Settings

Brute force protection

This feature is an extra layer of protection for organizations that desire an aggressive level of security, as general brute force protection is already provided by It will lock users out after a given number of failed login attempts, further protecting you from brute force password guessing attempts. Navigate to Settings > Users > User Settings > Brute force protection.

Note:Care should be taken if enabling this setting to avoid accidental user lockouts. We recommend having at least one backup administrator user who will be able to unlock another administrator in the event of an accidental lockout.

Default: Use default protection

Session IP address pinning

This setting helps to secure your site against session hijacking attempts by pinning user sessions to the IP address they originated from.

With this setting enabled, users will be asked to log in again if their IP Address changes. This could occur when they change networks, such as moving their laptop from the office to their home network. Disabling this setting is required at some office networks which rotate public IP addresses.

Navigate to Settings > Users > User Settings > Session IP address pinning.

This setting does not apply to the Desktop app, which uses longer-lived session tokens (see Desktop Session IP Pinning).

Default: Enabled (recommended)

Session expiration

Web interface sessions will automatically expire after a period of inactivity. Use this setting to customize the session idle timeout if needed. Navigate to Settings > Users > User Settings > Session expiration.

Default: 6 hours

Desktop Session IP Pinning

Similar to the Session IP address pinning setting, enabling this setting will force users of the Desktop app to log in again if their IP address changes while they are logged in to the Desktop app. Navigate to Settings > Users > User Settings > Desktop Session IP Pinning.

Default: Disabled

Desktop Session Lifetime

The Desktop app uses session tokens which have a limited lifetime. Use this setting to customize how long those sessions last once a user has logged into the app. Navigate to Settings > Users > User Settings > Desktop session lifetime.

Default: 720 hours (30 days)

Get Instant Access to

The button below will take you to our Free Trial signup page. Click on the white "Start My Free Trial" button, then fill out the short form on the next page. Your account will be activated instantly. You can dive in and start yourself or let us help. The choice is yours.

Start My Free Trial

©2022 All right reserved


  • Start My Free Trial
  • Pricing
  • Docs
  • API and SDKs
  • Contact


(800) 286-8372


9am–8pm Eastern