gitlab-org--gitlab-foss/doc/security/user_file_uploads.md

---
type: reference
---

# User File Uploads

Images that are attached to issues, merge requests, or comments
do not require authentication to be viewed if they are accessed directly by URL.
This direct URL contains a random 32-character ID that prevents unauthorized
people from guessing the URL for an image, thus there is some protection if an
image contains sensitive information.

Authentication is not enabled because images must be visible in the body of
notification emails, which are often read from email clients that are not
authenticated with GitLab, such as Outlook, Apple Mail, or the Mail app on your
mobile device.

>**Note:**
Non-image attachments do require authentication to be viewed.

<!-- ## Troubleshooting

Include any troubleshooting steps that you can foresee. If you know beforehand what issues
one might have when setting this up, or when something is changed, or on upgrading, it's
important to describe those, too. Think of things that may go wrong and include them here.
This is important to minimize requests for support, and to avoid doc comments with
questions that you know someone might ask.

Each scenario can be a third-level heading, e.g. `### Getting error message X`.
If you have none to add when creating a doc, leave this section in place
but commented out to help encourage others to add to it in the future. -->
Various edits to security documentation Edits to conform with CE epic 1280 SSOT standards, other improvements 2019-06-07 10:33:31 -04:00			`---`
			`type: reference`
			`---`
Clean-up some confusing info from security docs 2019-07-16 03:02:20 -04:00
Document file upload random uuid security 2015-12-10 11:24:08 -05:00			`# User File Uploads`

Various edits to security documentation Edits to conform with CE epic 1280 SSOT standards, other improvements 2019-06-07 10:33:31 -04:00			`Images that are attached to issues, merge requests, or comments`
			`do not require authentication to be viewed if they are accessed directly by URL.`
			`This direct URL contains a random 32-character ID that prevents unauthorized`
			`people from guessing the URL for an image, thus there is some protection if an`
			`image contains sensitive information.`
Document file upload random uuid security 2015-12-10 11:24:08 -05:00
Various edits to security documentation Edits to conform with CE epic 1280 SSOT standards, other improvements 2019-06-07 10:33:31 -04:00			`Authentication is not enabled because images must be visible in the body of`
			`notification emails, which are often read from email clients that are not`
			`authenticated with GitLab, such as Outlook, Apple Mail, or the Mail app on your`
Remove trailing whitespace in docs Remove unneeded trailing whitespace in lines in /security /workflow /user docs 2019-07-14 20:46:34 -04:00			`mobile device.`
Various edits to security documentation Edits to conform with CE epic 1280 SSOT standards, other improvements 2019-06-07 10:33:31 -04:00
			`>Note:`
			`Non-image attachments do require authentication to be viewed.`

			`<!-- ## Troubleshooting`

			`Include any troubleshooting steps that you can foresee. If you know beforehand what issues`
			`one might have when setting this up, or when something is changed, or on upgrading, it's`
			`important to describe those, too. Think of things that may go wrong and include them here.`
			`This is important to minimize requests for support, and to avoid doc comments with`
			`questions that you know someone might ask.`

			Each scenario can be a third-level heading, e.g. `### Getting error message X`.
			`If you have none to add when creating a doc, leave this section in place`
			`but commented out to help encourage others to add to it in the future. -->`