Share Link Security

Share Links are designed for convenient, ad-hoc sharing of files and folders with external contacts. Files.com takes security seriously, so we provide features to protect your link from people who shouldn't have access.

Site-Wide Sharing Settings for Security

Some security settings are available only for site administrators, because they affect the behavior of all Share Links within the site. Site administrators configure these settings to enforce best practices and comply with your organization's security program.

The Password protect all Share Links setting and the Apply password rules to shares, inboxes, and publicly served folders define password protection rules for all Share Links. The Enforce access control for all Share Links setting, and the Recipient email restrictions settings (Block known scam or free email domains and Additional email domains to block) control how Share Links are accessed, and who can be invited to access them. The Share Link expiration setting allows site administrators to enforce a maximum number of days before a Share Link is automatically removed.

Password Protection

You can secure each Share Link with a password. Password-protected shares will require visitors to enter the correct password in order to view and download the contents of the share.

By default, password protection of Share Links is optional, but site administrators can require passwords for all Share Links. When passwords are required for Share Links, users must supply a password while they are creating the Share Link. To prevent the use of weak passwords by your users, you can also require that passwords for links meet the requirements for user passwords.

Access Control

Much like password protection, access control helps you ensure that only your intended recipients can use your Share Link. Enabling access control is appropriate when you want only specific people to access your links.

How Access Control Works

When access control is enabled for a Share Link, visitors must follow a link from an emailed invitation to access the link. A session is created and saved in the web browser's local storage when a recipient clicks on an emailed share link, which is tied to that specific web browser and the email address that received the link. If the link is later visited in a different browser (either on the same computer or another computer), the share link will display an error that the invitation has been used on multiple devices.

When the system detects share link reuse, it automatically generates a new email with a new link for the original recipient. To prevent flooding a recipient with new links, replacement emails are generated at least 15 minutes apart. A recipient who receives an emailed link sent from your site can use the same link repeatedly from the same browser without invalidating the link.

A site administrator can enable a site setting to Enforce access control for all Share Links. By default, the setting is not enabled. After a site administrator enables the setting, all new Share Links will use access control - only people who receive an email invitation for a Share Link can use the link. Whenever the Enforce access control for all Share Links setting is active, any new Share Links will always use access control.

If the site administrator has not activated the Enforce access control for all Share Links setting for your site, users can configure the Access control settings for their own link. Users can configure their Share Links to Allow access from anybody with the share URL or Only allow access from emails generated from Files.com. Each Share Link's Access control setting can be changed by anyone with access to the Share Link.

Changing the access control for an existing link will affect only new visitors who follow the link without receiving an email invitation. Anyone who visited the link before access control was enabled will still have access to the share link.

To completely reset all access to a Share Link, you must revoke the share link and create it again. To keep previous visitors out, you can either add a password to the new Share Link (and not provide it to the people who should not have access) or you can enable access control on the new link and send email invitations to the people who should have access to the link.

Recipient Email Restrictions

You can take this security further by restricting the domains that can receive Share Link email invitations. Site administrators can configure 2 Recipient email restrictions settings for your site - Block known scam or free email domains and Additional email domains to block control. Both lists can be used at the same time to form a comprehensive email domain blacklist. Because these settings apply to your entire site, they cannot be overridden for individual users or Share Links.

The Block known scam or free email domains setting lets you take advantage of Files.com's block list of thousands of known scam and free email domains. The list is refreshed regularly, and it is not published. Enabling the Block known scam or free email domains setting will automatically apply this block list to all emailed Share Link invitations, preventing your users from sharing with unapproved addresses.

For more fine-grained control, site administrators can manually supply your own list of domains to block, using the Additional email domains to block setting.

When using either or both block lists, it is highly recommended to also enable the Enforce access control for all Share Links setting for your site to prevent users from providing direct access to a Share Link URL.

The block lists are used only for restricting whether a link invitation can be sent. If your link does not require access control, web visitors can register using an address that is on either of the block lists.

Whether you're allowing visitors to directly access a Share Link URL, or if you require them to follow a link from an emailed invitation, you will usually want to limit how long a share link will be valid. Expired Share Links display an error message to web visitors, so they are not able to access the contents of the link.

Site administrators can configure your site's Share Link expiration setting, which can be used to force all Share Links to automatically expire a certain number of days after they are created. You can choose between Never expire shares or provide the number of days before each Share Link will expire.

When a site administrator has provided a maximum number of days in the Share Link expiration setting, every Share Link will have an Expiration date, and users can never override any individual Share Link to give it a longer lifetime than the site's maximum. Users can edit their Share Link's Expiration to any date earlier than the site's maximum setting. A Snapshot Share Link automatically enforces an expiration of 60 days after the Share Link is created; if the site's maximum expiration setting is less than 60 days, the site's maximum is used instead.

If the Share Link expiration setting for your site is Never expire shares, users can still choose to add an Expiration date to each Share Link. Snapshot Share Links will always have an Expiration date, which will never be more than 60 days after the link was created, regardless of the site's Share Link expiration setting.

Because Share Link expiration is set by a site administrator, it applies to all Share Links. Changing your site's Share Link expiration value to a shorter number will immediately expire any Share Links that have been active for more than the provided number of days.

Share Links that have passed their Expiration date do not appear in listings of Share Links, so you cannot re-activate an already expired Share Link to extend its Expiration.

Sometimes, it is helpful to create a Share Link before it will be used. For example, if attendees to an in-person event are provided a link to download materials, you might want to prevent them from accessing those materials until after the in-person event has concluded. Users can set the Publish date for each individual Share Link, which is the earliest date that the link will work.

If users do not set a Publish date for their Share Link, the link will be available as soon as it has been created.

Limit Visitors

To guard against a Share Link being accessed too many times, you can designate a maximum number of visitors that can visit the Share Link before it is automatically disabled. The number of visitors is determined by browsing data, so a user who follows the link on multiple devices may be counted more than once. A user who visits the link multiple times from the same browser will usually only be counted as one visitor.

Get Instant Access to Files.com

The button below will take you to our Free Trial signup page. Click on the white "Start My Free Trial" button, then fill out the short form on the next page. Your account will be activated instantly. You can dive in and start yourself or let us help. The choice is yours.