Skip to content
English
Manage and Create Tickets
  • There are no suggestions because the search field is empty.

FileCloud Public Endpoint Caching and Unauthenticated XML Response Guidance

Original Question or Issue:

This article provides guidance regarding caching behavior for selected FileCloud public endpoints, handling of dynamic CSS and profile image caching, and clarification around unauthenticated XML responses returned by certain endpoints.

The recommendations below were provided by the FileCloud Development team in response to customer security and CDN optimization inquiries.

Environment:

  • Product - FileCloud Server
  • Version - 23.253
  • Platform - Linux

Steps to Reproduce:

  1. Access the listed FileCloud public endpoints directly without authentication.

  2. Observe that several endpoints return XML responses publicly.

  3. Review CDN caching behavior for:

    • /core/getcssentries

    • /core/getprofileimage

  4. Evaluate whether the responses can be cached safely and whether endpoint restrictions or CDN redirection are required.

Error or Log Message:

No specific error message was reported.

Defect or Enhancement Number:

 

Cause:

The identified endpoints are intentionally designed to return limited non-sensitive XML data for:

  • Public share functionality

  • Pre-login operations

  • Anonymous access workflows

Additionally:

  • /core/getcssentries may return dynamic CSS content configured through the Admin Portal.

  • /core/getprofileimage serves user profile images using username-based query strings.

Resolution or Workaround:

  1. /core/getcssentries can be cached if CSS changes infrequently.

  2. Use cache invalidation or an appropriate TTL when administrators update custom CSS.

  3. /core/getprofileimage can be safely cached per user with a suitable TTL based on profile image update frequency.

  4. CDN-level blocking or redirection is not recommended because these public endpoints are required for normal anonymous/pre-login functionality.

  5. Continue using standard environment-level security controls such as WAF, reverse proxy hardening, and OWASP-aligned security practices.

Notes:

The Development team confirmed:

  • Public XML responses are expected behavior.

  • Sensitive/private data remains protected behind authenticated sessions.

  • No additional recommendations were provided beyond the documented guidance.