This article explains how to ensure information about the RadCloudUpload configuration is secure and non-readable. Its transmission between the client and the server must be encrypted and impossible to decode, so the data cannot be used by a malicious entity in an attack against the server.
Configuration information includes temporary and target folder on the server, and allowed file extensions.
There is an
appSettings key you should add to your
web.config to ensure information security with file uploads:
- set a custom
If you do not set a custom key, a default (hardcoded) value is used to encrypt/decrypt the information.
As of R2 2017 SP1, hardcoded keys are not used anymore. Instead, standard .NET methods are used for encryption. Nevertheless, you should still set your own unique custom keys. You can use the IIS MachineKey Validation Key generator to get them (make sure to avoid the ,IsolateApps portion).
As an added security measure, as of R2 2017 SP2, you can disable file uploads for your application via the Telerik.Web.DisableCloudUploadHandler key web.config switch.
As of R1 2017, the Encrypt-then-MAC approach is implemented, in order to improve the integrity of the encrypted temporary and target folders.
The additional Telerik.Upload.ConfigurationHashKey key is used to hash the encrypted text. The value returned from the client is checked in the upload handler for integrity. If the hashing attempt is incorrect, a
new CryptographicException("The hash is not valid!"); exception will be thrown.
<appSettings> <add key="Telerik.Upload.ConfigurationHashKey" value="YOUR-SECOND-UNIQUE-STRONG-RANDOM-VALUE-UNIQUE-TO-YOUR-APP&" /> </appSettings>
Telerik.Web.DisableCloudUploadHandler key to
true disables the built-in RadCloudUpload handler that is used for sending files to the server before they are moved to the cloud via the provider. This feature is available as of R2 2017 SP2.
When you set this key to
true, no files can be uploaded to the default handler (
Telerik.Web.UI.WebResource.axd) and cloud upload requests to it will return a 404 error.
Custom handlers are not affected by this feature and you can still use them to upload and save files.
<appSettings> <add key="Telerik.Web.DisableCloudUploadHandler" value="true"/> </appSettings>