Share Link Security

Share Links are designed for convenient, ad-hoc sharing of files and folders with external contacts. Files.com takes security seriously, so we provide features to protect your link from people who shouldn't have access.

You can secure each Share Link with a password. Password-protected shares will require visitors to enter the correct password in order to view and download the contents of the share.

By default, password protection of Share Links is optional, but site administrators can require passwords for all Share Links. When passwords are required for Share Links, users must supply a password while they are creating the Share Link. To prevent the use of weak passwords by your users, you can also require that passwords for links meet the requirements for user passwords.

Much like password protection, access control helps you ensure that only your intended recipients can use your Share Link. Enabling access control is appropriate when you want only specific people to access your links.

When access control is enabled for a Share Link, visitors must follow a link from an emailed invitation to access the link. A session is created and saved in the web browser's local storage when a recipient clicks on an emailed share link, which is tied to that specific web browser and the email address that received the link. If the link is later visited in a different browser (either on the same computer or another computer), the share link will display an error that the invitation has already been used. Each time the system detects share link reuse when access control is enabled, it will automatically generate a new email with a new link and re-send it to the original recipient. A recipient who receives an emailed link sent from your site can use the same link repeatedly from the same browser without invalidating the link.

Changing the access control for an existing link will affect only new visitors who follow the link without receiving an email invitation. Anyone who visited the link before access control was enabled will still have access to the share link.

To completely reset all access to a Share Link, you must revoke the share link and create it again. To keep previous visitors out, you can either add a password to the new Share Link (and not provide it to the people who should not have access) or you can enable access control on the new link and send email invitations to the people who should have access to the link.

By default, access control is disabled for Share Links. Site administrators can require that all new Share Links use access control. Users cannot override this on a link when access control is enabled for all share links.

You can take this security further by restricting the domains that can receive Share Link email invitations. Files.com maintains an internal block list of thousands of known scam and free email domains. The list is refreshed regularly, and it is not published. Site administrators can automatically apply this block list to all emailed Share Link invitations, preventing your users from sharing with unapproved addresses.

For more fine-grained control, site administrators can manually supply your own list of domains to block, as well. Both lists can be used at the same time to form a comprehensive email domain blacklist.

When using either or both block lists, it is highly recommended to also enable access control for all links to prevent users from providing direct access to a Share Link URL.

The block lists are used for determining whether a link invitation can be sent; if your link does not require access control, web visitors can register using an address that is on either of the block lists.

Whether you're allowing visitors to directly access a Share Link URL, or if you require them to follow a link from an emailed invitation, you will usually want to limit how long a share link will be valid.

Sometimes, it is helpful to create a Share Link before it will be used. For example, if attendees to an in-person event are provided a link to download materials, you might want to prevent them from accessing those materials until after the in-person event has concluded. You can set the publish date for the link, which is the earliest date that the link will work.

Rather than relying on your users to disable a share link after it has been created, you can set an expiration date for the share link. Expired Share Links display an error message to web visitors, so they are not able to access the contents of the link.

Site administrators can enforce a maximum number of days for a link to be valid. This limit applies to every Share Link, and users cannot override the setting for a link. A Snapshot Share Link automatically enforces an expiration of 60 days after the Share Link is created; if the site's maximum expiration setting is less than 60 days, the site's maximum is used instead. You can edit your share at any time to manually set the expiration to any date earlier than the site's maximum setting

Share Links that have passed their expiration date are no longer functional. To restore a Share Link that has expired, edit the Share Link and adjust the expiration date.

To guard against a Share Link being accessed too many times, you can designate a maximum number of visitors that can visit the Share Link before it is automatically disabled. The number of visitors is determined by browsing data, so a user who follows the link on multiple devices may be counted more than once. A user who visits the link multiple times from the same browser will usually only be counted as one visitor.