Following the Drupal Security Team Public Service Announcement about the configuration of file upload fields on entities and webforms that are available for anonymous users to create, this module has been developed to allow admins to enforce secure settings for these fields on their sites.

The module currently secures file and image field types, and will also secure all file uploads on webforms regardless of user access.


  • Choose between displaying an advisory notice when creating new webforms or content types, or enforcing the use of the private file system (if available)
  • Update all file fields on content that the anonymous user can create and all webforms to use the private file system, and move legacy files, in a single command.
  • Use an administration form or a drush command
  • Use as a one time only fix and disable, or leave in place on sites where you have a number of administrators who may not be aware of the security implications of file fields.


This module requires the Entity API module to be enabled. If your site does not have a private file system configured, this module will only allow you to advise administrators of the Security Team PSA, and the drush command will not function.

Current Maintainer

Dale Smith (MrDaleSmith)

Supporting organizations: 

Project information