[GH-ISSUE #449] Attached Images are always public even for private topics #343

New issue

Closed

opened 2026-05-07 00:23:17 +02:00 by BreizhHardware · 2 comments

BreizhHardware commented

2026-05-07 00:23:17 +02:00

Owner

Originally created by @OHDMax on GitHub (Oct 22, 2022).
Original GitHub issue: https://github.com/binwiederhier/ntfy/issues/449

Hello!

First thank you creating and maintaining this really helpful program (and congrats on your newest family member!).

I run a private instance for sending messages between my devices which means every topic needs a user and password to be able to subscribe to them. However when I directly push an image (using curl with POST and a local image) to a private topic I can copy the link to that image and view it without authenticating myself.

Is this a bug or intended? Did I miss a configuration option to make the images private by activating basic auth for files or something? I've skimmed the documentation and the server.yml but could not find anything related.

Related information:
The instance runs on a Synology NAS inside a Docker container. Access to the internet is possible through the built-in NGNIX which acts as reverse proxy.

Originally created by @OHDMax on GitHub (Oct 22, 2022). Original GitHub issue: https://github.com/binwiederhier/ntfy/issues/449 Hello! First thank you creating and maintaining this really helpful program (and congrats on your newest family member!). I run a private instance for sending messages between my devices which means every topic needs a user and password to be able to subscribe to them. However when I directly push an image (using curl with POST and a local image) to a private topic I can copy the link to that image and view it without authenticating myself. Is this a bug or intended? Did I miss a configuration option to make the images private by activating basic auth for files or something? I've skimmed the documentation and the server.yml but could not find anything related. Related information: The instance runs on a Synology NAS inside a Docker container. Access to the internet is possible through the built-in NGNIX which acts as reverse proxy.

BreizhHardware

2026-05-07 00:23:17 +02:00

closed this issue
added the
question
label

BreizhHardware commented

2026-05-07 00:23:18 +02:00

Author

Owner

@binwiederhier commented on GitHub (Oct 22, 2022):

Is this a bug or intended?

Intended. Attachment links are based on the message ID, which is a randomly generated string of 12(?) upper+lowercase characters and numbers and only lives for 3 hours. There's virtually no chance someone can guess the URL. Google and such use the same concept of a secret URL.

@binwiederhier commented on GitHub (Oct 22, 2022): > Is this a bug or intended? Intended. Attachment links are based on the message ID, which is a randomly generated string of 12(?) upper+lowercase characters and numbers and only lives for 3 hours. There's virtually no chance someone can guess the URL. Google and such use the same concept of a secret URL.

BreizhHardware commented

2026-05-07 00:23:18 +02:00

Author

Owner

@OHDMax commented on GitHub (Oct 22, 2022):

I see, thanks for clearing that up!

@OHDMax commented on GitHub (Oct 22, 2022): I see, thanks for clearing that up!

BreizhHardware referenced this issue

2026-05-07 01:01:20 +02:00

[PR #343] [CLOSED] all md files translated to spanish #1276