docs(upload): add security configuration documentation

araksyagevorgyan · araksyagevorgyan · commit 225583f3dfde · 2025-10-31T14:31:15.000+01:00
diff --git a/docusaurus/docs/cms/features/media-library.md b/docusaurus/docs/cms/features/media-library.md
@@ -111,6 +111,7 @@ When using the default upload provider, the following specific configuration opt
 | `providerOptions.localServer`        | Options that will be passed to <ExternalLink to="https://github.com/koajs/static" text="koa-static"/> upon which the Upload server is build (see [local server configuration](#local-server)) | Object  | -       |
 | `sizeLimit`                                  | Maximum file size in bytes (see [max file size](#max-file-size)) | Integer | `209715200`<br/><br/>(200 MB in bytes, i.e., 200 x 1024 x 1024 bytes) |
 | `breakpoints`             | Allows to override the breakpoints sizes at which responsive images are generated when the "Responsive friendly upload" option is set to `true` (see [responsive images](#responsive-images)) | Object | `{ large: 1000, medium: 750, small: 500 }` |
+| `security`             | Configures validation rules for uploaded files to enhance media security | Object | - |
 
 :::note
 The Upload request timeout is defined in the server options, not in the Upload plugin options, as it's not specific to the Upload plugin but is applied to the whole Strapi server instance (see [upload request timeout](#upload-request-timeout)).
@@ -145,6 +146,10 @@ module.exports = ({ env })=>({
         small: 500,
         xsmall: 64
       },
+      security: {
+        allowedTypes: ['image/*', 'application/pdf'],
+        deniedTypes: ['application/x-sh', 'application/x-dosexec']
+      },
     },
   },
 });
@@ -171,6 +176,10 @@ export default () => ({
         small: 500,
         xsmall: 64
       },
+      security: {
+        allowedTypes: ['image/*', 'application/pdf'],
+        deniedTypes: ['application/x-sh', 'application/x-dosexec']
+      },
     },
   },
 })
@@ -319,6 +328,55 @@ export default {
 
 </Tabs>
 
+#### Security
+
+
+Configures validation rules for uploaded files to enhance media security.
+
+:::note
+It's best to define either `allowedTypes` or `deniedTypes`, not both, to avoid conflicts in file validation logic.
+:::
+
+You can provide them by creating or editing [the `/config/plugins` file](/cms/configurations/plugins). The following example sets the `allowedTypes` filter:
+
+<Tabs groupId="js-ts">
+
+<TabItem value="javascript" label="JavaScript">
+
+```js title="/config/plugins.js"
+module.exports = {
+  // ...
+  upload: {
+    config: {
+      security: {
+        allowedTypes: ['image/*', 'application/pdf']
+      },
+    }
+  }
+};
+```
+
+</TabItem>
+
+<TabItem value="typescript" label="TypeScript">
+
+```js title="/config/plugins.ts"
+export default {
+  // ...
+  upload: {
+    config: {
+      security: {
+        allowedTypes: ['image/*', 'application/pdf']
+      },
+    }
+  }
+};
+```
+
+</TabItem>
+
+</Tabs>
+
 #### Upload request timeout
 
 By default, the value of `strapi.server.httpServer.requestTimeout` is set to 330 seconds. This includes uploads.
