Security Tip: Temporary Local File URLs!

I'm sneaking this one into our series on security-related changes in Laravel 12, even though it actually comes from Taylor Otwell's Laracon 2024 PR in September 2024. It's close enough, right? 😉

Way back in January 2023 I wrote about Restricting Local File Access due to Laravel only supporting temporary URLs for files stored on external s3 driver file systems. My solution was to set up a custom signed route which allowed you to securely serve local files with temporary signed URLs.

Well, as of that September 2024, you can now do it directly within the Storage system in Laravel! No need for a custom route any more. 🎉

The process is now the same regardless of if you're using the s3 or local:

use Illuminate\Support\Facades\Storage;
 
$url = Storage::temporaryUrl(
    'file.jpg', now()->addMinutes(5)
);

That's it. Laravel does the rest for you automatically, just the way we like it. 😁

The only caveat is that you will need to enable it via disks.local.serve=true in your config/filesystems.php file, if your app doesn't have the new config option:

'local' => [
    'driver' => 'local',
    'root' => storage_path('app/private'),
    'serve' => true,                          // <<< Add & set true
    'throw' => false,
],

Checkout the docs for the full details, including customising the temporary URL generate and/or route if needed.

If you found this security tip useful, subscribe to get weekly Security Tips straight to your inbox. Upgrade to a premium subscription for exclusive monthly In Depth articles, or drop a coin in the tip jar to show your support.

When was the last time you had a penetration test? Book a Laravel Security Audit and Penetration Test, or a budget-friendly Security Review!

You can also connect with me on Bluesky, or other socials, and check out Practical Laravel Security, my interactive course designed to boost your Laravel security skills.