Share Link Security
Share Links are designed for convenient, ad-hoc sharing of files and folders with external contacts. Files.com provides several features to protect your link from people you don't want to access it.
Site-Wide Sharing Settings for Security
Some security settings are available only to site administrators because they affect the behavior of all Share Links within the site. Site administrators configure these settings to enforce best practices and comply with your organization's security program.
The Password protect all Share Links setting and the Apply password rules to shares, inboxes, and publicly served folders setting define password protection rules for all Share Links. The Enforce access control for all Share Links setting and the Recipient email restrictions settings (Block known scam or free email domains and Additional email domains to block) control how Share Links are accessed and who can be invited to access them. The Share Link expiration setting allows site administrators to enforce a maximum number of days before a Share Link is automatically removed.
The Auto-revoke Share Links for deactivated users setting allows automatic deactivation of Share Links owned by a user when that user is disabled or deleted.
Password Protection
You can secure each Share Link with a password. Password-protected shares require visitors to enter the correct password to view and download the contents of the share.
By default, password protection of Share Links is optional, but site administrators can require passwords for all Share Links. When passwords are required for Share Links, users must supply a password while creating the Share Link. To prevent the use of weak passwords, you can also require that Share Link passwords meet the requirements for user passwords.
When the site setting to require passwords for all Share Links is not enabled, users can still enable password protection within the settings for each of their Share Links.
Password protection for Share Links is not compatible with email-based one-time passwords because only one authentication type is permitted per Share Link.
Prefer password protection over one-time email passwords whenever your workflow means contacts view your Share Link embedded in another website or by accessing the link URL directly.
Email Based One-Time Password
The email-based one-time password feature lets users offer a workflow that does not require distributing passwords for a Share Link while still protecting your link's contents from people other than the intended recipient.
The workflow validates that the person visiting your Share Link is your intended recipient by verifying they have access to the recipient's email at the time of visiting. When they visit your Share Link, Files.com generates a new email to the recipient with a single-use password, and the link page requires that password to proceed. Each password is valid for only 1 use.
Email-based one-time passwords are not compatible with standard Password protection for Share Links because only one authentication type is permitted per Share Link. Use the settings on your Share Link to enable either password protection, email-based one-time passwords, or neither.
To ensure that only emailed contacts can access your Share Link, enable Access Control for your Share Link when you enable email-based one-time passwords.
Because email-based one-time passwords require knowing the recipient's email before they visit the link, you must use email invitations to publish your link to recipients. Each recipient receives multiple emails. The first email is the invitation email, with the personalized URL the recipient must follow to access their Share Link. When the recipient visits their personalized URL, the Share Link One-Time Password email is generated and sent separately.
Because email invitations are required with the email-based one-time password, you cannot use this feature with a Share Link that is embedded in a web page. Visitors who access the Share Link URL without following an invite cannot access the Share Link.
Access Control
Access control locks a Share Link to invited recipients and one web browser. Enabling access control prevents an invitation URL from working in more than one browser.
Access control prevents new access; it does not remove access from an existing visitor to your Share Link.
What Access Control Enforces
Recipients must enter through an emailed invitation. Each invitation email contains a recipient-specific URL.
Each recipient gets a unique URL. Recipients do not affect each other, so inviting multiple people to a Share Link with access control allows each person to use the link in their own invitation email.
Each invitation URL maps to 1 invited email address, so activity using that URL is logged under that invited email address.
Files.com binds that URL to the first browser that opens it. That browser becomes the only browser that can use that URL.
Files.com does not verify that the human using the browser matches the email. This is because browsers do not know whether the person following the URL was the original recipient or whether the URL was copied or the email is forwarded.
Browser Binding and Link Reuse
When a recipient opens their invitation URL, Files.com stores a session identifier in the browser's local storage. That identifier ties the invitation URL to that browser.
When the invitation URL opens in a different browser, Files.com shows a message that the invitation code has expired. Files.com sends a replacement email to the invited recipient with a new recipient-specific URL.
Files.com disables the original invitation URL after link reuse. All visitors who start a new session at that URL see a message that the invitation code has expired.
The browser that first opened the invitation URL keeps access through its existing session. To move to a different browser, open the newest invitation email in that browser.
Files.com sends at most 1 replacement email every 15 minutes. This limit applies per recipient per Share Link.
Common Scenarios When Access Control Is Enabled
Each recipient gets a unique invitation URL. Access control limits each URL to one browser session.
- The first browser that opens the URL gets access. That browser keeps access through the same session.
- Any other browser that opens the same URL sees a message that the invitation code has expired.
- Files.com emails the invited recipient a replacement URL. Files.com sends at most 1 replacement email every 15 minutes.
Scenario - Invitation Email Was Forwarded
We invite Bob to a Share Link. Bob forwards the email to Alice.
Alice clicks Bob's invitation link first. Alice gets access. Files.com logs the access under Bob's email address because the URL is tied to Bob.
Bob clicks the same invitation link later. Bob sees a message that the invitation code has expired. Bob cannot access the Share Link.
Files.com emails Bob a replacement link. Bob uses the new link to access the Share Link.
Scenario - Invitation Email Opened By Recipient and Forwarded Later
We invite Carlos to a Share Link. Carlos forwards the invitation email to Devina.
Carlos clicks his invitation link first. Carlos gets access.
Devina clicks the forwarded link later. Devina sees a message that the invitation code has expired. Devina cannot access the Share Link.
Files.com emails Carlos a replacement link. Carlos can still use the original link in the browser he used earlier until that session ends.
Scenario - Recipient Follows URL on Multiple Devices
We invite Ezra to a Share Link.
Ezra opens the invitation link on a work computer. Ezra gets access.
Ezra opens the same invitation link on a home computer later. Ezra sees a message that the invitation code has expired.
Files.com emails Ezra a replacement link. Ezra uses the new link on the home computer to access the Share Link. Ezra can still use the original link in the same browser on their work computer until that session ends.
Scenario - Recipient Uses Private Browsing
We invite Fiona to a Share Link.
Fiona opens the invitation link in a normal browser window. Fiona gets access.
Fiona opens the same invitation link in a private browsing window. Fiona sees a message that the invitation code has expired. Fiona cannot access the Share Link in the private browsing window.
Files.com emails Fiona a replacement link. Fiona uses the new link in the private window to access the Share Link. Fiona can still use the original link in the normal browser window until that session ends.
Scenario - Multiple Invited Recipients
We invite Gregory, Haeyoung, and Indu to the same Share Link. Files.com sends each recipient a unique invitation URL.
Gregory opens Gregory’s URL and gets access. Indu opens Indu’s URL and gets access.
Gregory’s URL does not invalidate Indu’s URL. Each recipient’s URL binds and rotates independently.
When to Use Access Control
Turn on access control when you already know who you intend to access your link, and the process starts from an invitation email. Access control requires using email invitations with your recipients.
Use access control for sensitive one-to-one or one-to-few sharing. A common case is when a recipient forwarding the invitation email could create unintended access that you want to prevent.
Do not use access control for broad distribution. Do not use it when you will publish the Share Link's address on websites, chat channels, printed handouts, or QR codes, or when embedding the link in your own site.
If you need stronger proof that the visitor controls the invited email address, enable email-based one-time passwords on top of access control.
Enforce Access Control for All Share Links
Your site includes a setting to Enforce access control for all Share Links. When a Site Administrator enables the setting, all new Share Links enforce access control, which also means they require emailed invitations.
Enabling the setting does not change the settings for any Share Links that already exist. To apply access control to existing Share Links, edit each Share Link to change its settings.
Do not enable this setting when you want to publish any Share Link addresses on websites, chat channels, printed handouts, or QR codes, or when embedding a link in your own site.
Configure Access Control for a Single Share Link
If your site does not enforce access control, set Access control per Share Link. Choose Allow access from anybody with the share URL or Only allow access from emails generated from Files.com.
Use Allow access from anybody with the share URL when you don't want to use email invitations, when you will publish the link address to multiple people, or when you don't know beforehand who will visit your Share Link.
Use Only allow access from emails generated from Files.com for sensitive one-to-one or one-to-few sharing, and when you know who you will invite to your Share Link. Turning on access control for an existing Share Link blocks new, non-invited browsers. It does not end sessions that already opened the Share Link.
Remove Existing Access to a Share Link
Revoking a Share Link ends all active sessions for that Share Link. Create a new Share Link after you revoke.
To control who regains access, add a password to the new Share Link. Or enable access control and invite the right recipients.
Recipient Email Restrictions
You can restrict the domains that can receive Share Link email invitations. Site administrators can configure two Recipient email restrictions settings for your site: Block known scam or free email domains and Additional email domains to block. Both lists can be used at the same time to form a combined email domain blocklist. Because these settings apply to your entire site, they cannot be overridden for individual users or Share Links.
The Block known scam or free email domains setting applies Files.com's block list of known scam and free email domains. The list is refreshed regularly, and it is not published. Enabling this setting automatically applies the block list to all emailed Share Link invitations, preventing your users from sharing with unapproved addresses.
For more fine-grained control, site administrators can supply their own list of domains to block, using the Additional email domains to block setting.
When using either or both block lists, also enable the Enforce access control for all Share Links setting for your site to prevent users from providing direct access to a Share Link URL.
The block lists restrict only whether a link invitation can be sent. If your link does not require access control, web visitors can register using an address that is on either of the block lists.
Share Link Expiration Dates
Whether you allow visitors to directly access a Share Link URL or require them to follow a link from an emailed invitation, you will usually want to limit how long a Share Link stays valid. Expired Share Links display an error message to web visitors and do not provide access to the contents of the link.
Site administrators can configure your site's Share Link expiration setting to force all Share Links to automatically expire a certain number of days after they are created. You can choose between Never expire shares or provide the number of days before each Share Link expires.
When a site administrator has provided a maximum number of days in the Share Link expiration setting, every Share Link has an Expiration date, and users cannot override any individual Share Link to give it a longer lifetime than the site's maximum. Users can edit their Share Link's Expiration to any date earlier than the site's maximum setting. A Snapshot Share Link automatically enforces an expiration of 60 days after the Share Link is created; if the site's maximum expiration setting is less than 60 days, the site's maximum is used instead.
If the Share Link expiration setting for your site is Never expire shares, users can still choose to add an Expiration date to each Share Link. Snapshot Share Links always have an Expiration date, which is never more than 60 days after the link was created, regardless of the site's Share Link expiration setting.
Because Share Link expiration is set by a site administrator, it applies to all Share Links. Changing your site's Share Link expiration value to a shorter number will immediately expire any Share Links that have been active for more than the provided number of days.
Share Links that have passed their Expiration date do not appear in listings of Share Links, so you cannot re-activate an already expired Share Link to extend its Expiration.
Share Link Publish Date
Sometimes it is helpful to create a Share Link before it is used. The Publish date for a Share Link determines the earliest date the link will work, allowing you to configure a Share Link before you make it available.
If users do not set a Publish date for their Share Link, the link is available as soon as it is created.
For example, imagine you are hosting an in-person event and want to provide a printed handout to attendees so they can download materials. To provide your printer with the correct address or QR code, you must first create the link, but you don't want anyone to access those materials until the event happens. Set the Publish date for your link to the date of your event to prevent attendees from accessing those materials until the in-person event.
Limit Visitors
To guard against a Share Link being accessed too many times, you can designate a maximum number of visitors that can visit the Share Link before it is automatically disabled. The number of visitors is determined by browsing data, so a user who follows the link on multiple devices may be counted more than once. A user who visits the link multiple times from the same browser is usually counted as one visitor.
Get The File Orchestration Platform Today
4,000+ organizations trust Files.com for mission-critical file operations. Start your free trial now and build your first flow in 60 seconds.
No credit card required • 7-day free trial • Setup in minutes