Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/diced/zipline/llms.txt

Use this file to discover all available pages before exploring further.

Zipline includes several security features to protect your instance from abuse and ensure safe operation.

Core Security Settings

Secret Key

CORE_SECRET
string
required
The master secret key used for session encryption, token generation, and other cryptographic operations.Requirements:
  • Minimum 32 characters
  • Must not be the default value “changethis”
  • Should be cryptographically random
# Generate a secure secret
CORE_SECRET=$(openssl rand -base64 42 | tr -dc A-Za-z0-9 | cut -c -32)
The CORE_SECRET is critical for security. If compromised, attackers can:
  • Forge session tokens
  • Impersonate users
  • Access protected resources
Never commit this value to version control or share it publicly.

Proxy Trust

CORE_TRUST_PROXY
boolean
default:"false"
Trust proxy headers for client IP address detection.
CORE_TRUST_PROXY=true
Enable this when Zipline is behind a reverse proxy (Nginx, Apache, Cloudflare, etc.) to:
  • Correctly identify client IP addresses from X-Forwarded-For header
  • Respect X-Forwarded-Proto for HTTPS detection
  • Enable accurate rate limiting by IP
  • Properly log client addresses
When to enable:
  • Behind Nginx, Apache, Caddy, or similar reverse proxy
  • Using Cloudflare or other CDN
  • In containerized environments with ingress controllers
When to keep disabled:
  • Direct exposure to the internet
  • When you don’t have a trusted proxy layer

Reverse Proxy Configuration Examples

location / {
  proxy_pass http://localhost:3000;
  proxy_set_header Host $host;
  proxy_set_header X-Real-IP $remote_addr;
  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  proxy_set_header X-Forwarded-Proto $scheme;
}
Set CORE_TRUST_PROXY=true in Zipline.
zipline.example.com {
  reverse_proxy localhost:3000
}
Caddy automatically sets proper headers. Set CORE_TRUST_PROXY=true.
<VirtualHost *:443>
  ServerName zipline.example.com
  
  ProxyPreserveHost On
  ProxyPass / http://localhost:3000/
  ProxyPassReverse / http://localhost:3000/
  
  RequestHeader set X-Forwarded-Proto "https"
</VirtualHost>
Set CORE_TRUST_PROXY=true in Zipline.

Rate Limiting

Protect your instance from abuse with built-in rate limiting.
RATELIMIT_ENABLED
boolean
default:"true"
Enable rate limiting globally.
RATELIMIT_ENABLED=true
RATELIMIT_MAX
number
default:"10"
Maximum number of requests allowed per window.
RATELIMIT_MAX=10
RATELIMIT_WINDOW
number
default:"null"
Time window in milliseconds. If not set, uses a default window.
RATELIMIT_WINDOW=60000  # 1 minute
RATELIMIT_ADMIN_BYPASS
boolean
default:"true"
Allow administrators to bypass rate limits.
RATELIMIT_ADMIN_BYPASS=true
RATELIMIT_ALLOW_LIST
string[]
default:"[]"
Comma-separated list of IP addresses or CIDR ranges exempt from rate limiting.
RATELIMIT_ALLOW_LIST=127.0.0.1,192.168.1.0/24,10.0.0.5

Rate Limit Examples

# 5 requests per minute
RATELIMIT_ENABLED=true
RATELIMIT_MAX=5
RATELIMIT_WINDOW=60000
RATELIMIT_ADMIN_BYPASS=true
Rate limiting is applied per IP address. With CORE_TRUST_PROXY=true, the client’s real IP from proxy headers is used.

File Security

Extension Blocking

FILES_DISABLED_EXTENSIONS
string[]
default:"[]"
Block uploads of files with specific extensions.
FILES_DISABLED_EXTENSIONS=exe,bat,cmd,sh,ps1
Common security-focused configurations: 
# Block executables
FILES_DISABLED_EXTENSIONS=exe,bat,cmd,com,msi,scr

# Block scripts
FILES_DISABLED_EXTENSIONS=sh,bash,ps1,vbs,js,jar

# Block potentially dangerous files
FILES_DISABLED_EXTENSIONS=exe,dll,bat,cmd,sh,ps1,vbs,com,scr,pif,msi

Metadata Removal

FILES_REMOVE_GPS_METADATA
boolean
default:"false"
Automatically strip GPS and location metadata from uploaded images.
FILES_REMOVE_GPS_METADATA=true
When enabled, removes EXIF data including:
  • GPS coordinates
  • Location names
  • Timestamps
  • Camera information
Protecting user privacy by removing location data from photos is recommended for public instances.

File Size Limits

FILES_MAX_FILE_SIZE
string
default:"100mb"
Maximum allowed file size for uploads.
FILES_MAX_FILE_SIZE=500mb
Considerations:
  • Prevents storage exhaustion attacks
  • Limits bandwidth consumption
  • Affects server memory usage during uploads

Webhooks

Webhooks can notify external services when events occur, but should be configured carefully.

HTTP Webhooks

HTTP_WEBHOOK_ON_UPLOAD
string
default:"null"
URL to POST to when a file is uploaded.
HTTP_WEBHOOK_ON_UPLOAD=https://api.example.com/webhooks/upload
HTTP_WEBHOOK_ON_SHORTEN
string
default:"null"
URL to POST to when a URL is shortened.
HTTP_WEBHOOK_ON_SHORTEN=https://api.example.com/webhooks/shorten
Webhook payload includes:
  • File/URL metadata
  • User information
  • Timestamp
  • File URL

Discord Webhooks

DISCORD_WEBHOOK_URL
string
default:"null"
Global Discord webhook URL.
DISCORD_WEBHOOK_URL=https://discord.com/api/webhooks/123456789/abcdefg
DISCORD_USERNAME
string
default:"null"
Username for Discord webhook messages.
DISCORD_USERNAME=Zipline Bot
DISCORD_AVATAR_URL
string
default:"null"
Avatar URL for Discord webhook messages.
DISCORD_AVATAR_URL=https://zipline.example.com/logo.png

Upload-Specific Discord Webhook

DISCORD_ON_UPLOAD_WEBHOOK_URL
string
default:"null"
Separate webhook URL specifically for file uploads.
DISCORD_ON_UPLOAD_USERNAME
string
default:"null"
Username for upload notifications.
DISCORD_ON_UPLOAD_AVATAR_URL
string
default:"null"
Avatar URL for upload notifications.
DISCORD_ON_UPLOAD_CONTENT
string
default:"null"
Message content for upload notifications.
DISCORD_ON_UPLOAD_EMBED
json
default:"null"
JSON configuration for Discord embed on uploads.
DISCORD_ON_UPLOAD_EMBED='{"title":"New Upload","color":"#5865F2"}'

URL Shorten-Specific Discord Webhook

DISCORD_ON_SHORTEN_WEBHOOK_URL
string
default:"null"
Separate webhook URL specifically for URL shortening.
DISCORD_ON_SHORTEN_USERNAME
string
default:"null"
Username for shorten notifications.
DISCORD_ON_SHORTEN_AVATAR_URL
string
default:"null"
Avatar URL for shorten notifications.
DISCORD_ON_SHORTEN_CONTENT
string
default:"null"
Message content for shorten notifications.
DISCORD_ON_SHORTEN_EMBED
json
default:"null"
JSON configuration for Discord embed on URL shortening.
Webhook Security:
  • Webhook URLs contain secrets - keep them private
  • Don’t expose sensitive user data in webhook payloads
  • Use HTTPS endpoints only
  • Validate webhook destination is trusted
  • Monitor webhook activity for abuse

Security Best Practices

# Strong secret (32+ characters)
CORE_SECRET=$(openssl rand -base64 42 | tr -dc A-Za-z0-9 | cut -c -32)

# Trust proxy when behind reverse proxy
CORE_TRUST_PROXY=true

# Return HTTPS URLs
CORE_RETURN_HTTPS_URLS=true

# Enable rate limiting
RATELIMIT_ENABLED=true
RATELIMIT_MAX=20
RATELIMIT_WINDOW=60000

# Remove GPS metadata
FILES_REMOVE_GPS_METADATA=true

# Disable public registration
FEATURES_USER_REGISTRATION=false

# Strict rate limiting
RATELIMIT_ENABLED=true
RATELIMIT_MAX=10
RATELIMIT_WINDOW=60000

# Invite-only access
FEATURES_USER_REGISTRATION=false
FEATURES_OAUTH_REGISTRATION=false
INVITES_ENABLED=true

# Block executables
FILES_DISABLED_EXTENSIONS=exe,bat,cmd,sh,ps1

# Moderate rate limiting
RATELIMIT_ENABLED=true
RATELIMIT_MAX=30
RATELIMIT_WINDOW=60000

# Allow registration with safeguards
FEATURES_USER_REGISTRATION=true

# Privacy protection
FILES_REMOVE_GPS_METADATA=true

# File restrictions
FILES_MAX_FILE_SIZE=100mb
FILES_DISABLED_EXTENSIONS=exe,dll,bat,cmd,sh,scr

Additional Security Features

HTTPS Enforcement

CORE_RETURN_HTTPS_URLS
boolean
default:"false"
Generate HTTPS URLs instead of HTTP.
CORE_RETURN_HTTPS_URLS=true
Always enable this in production when using HTTPS.

Password Protection

Users can password-protect individual files and URLs. Passwords are hashed using bcrypt before storage.

View Limits

FEATURES_DELETE_ON_MAX_VIEWS
boolean
default:"true"
Automatically delete files when they reach their maximum view count.
FEATURES_DELETE_ON_MAX_VIEWS=true
Useful for:
  • Self-destructing file shares
  • One-time secret sharing
  • Controlling content distribution

Monitoring and Logging

Enable logging to monitor security events: 
DEBUG=zipline
Logs include:
  • Authentication attempts
  • Rate limit violations
  • File upload/download activity
  • Configuration validation errors
  • Datasource access issues

Troubleshooting

Rate Limiting Issues

Users getting rate limited incorrectly:
  • Check CORE_TRUST_PROXY is enabled if behind proxy
  • Verify proxy is setting X-Forwarded-For header
  • Add internal IPs to RATELIMIT_ALLOW_LIST
Rate limits not working:
  • Ensure RATELIMIT_ENABLED=true
  • Check window value is reasonable
  • Verify IP detection is working (check logs)

Proxy Issues

Wrong IP addresses in logs:
  • Enable CORE_TRUST_PROXY=true
  • Verify proxy headers are being sent
Rate limiting by proxy IP:
  • Same as above - trust proxy configuration needed

Next Steps

Authentication Configuration

OAuth, MFA, and user registration settings

Build docs developers (and LLMs) love

Get started for freeTalk to us