Skip to main content

Check out Interactive Visual Stories to gain hands-on experience with the SSE product features. Click here.

Skyhigh Security

Prevent Unauthorized File Uploads via Browser

  1. Last updated
  2. Save as PDF
Limited Availability: To access the File Upload Protection feature,  contact Skyhigh Support.

 

File Upload Protection is designed to control and prevent unauthorized or potentially harmful file transfers initiated through the browser. This capability actively monitors multiple interaction methods, including form‑based uploads, drag‑and‑drop actions, and clipboard pasting of files or images into the browser. It intercepts these actions at the browser level, ensuring that files are evaluated before they leave the user’s environment. This capability acts as a safeguard against accidental or malicious uploads that could expose sensitive information or introduce security risks. It is application‑agnostic, meaning it applies consistently across a wide range of web services and collaboration platforms, such as Google Drive, Dropbox, WhatsApp Web, and Microsoft Copilot. While the Secure Web Gateway (SWG) handles network‑level inspection, File Upload Protection adds coverage through direct operation within the browser.

This allows it to enforce policies even in scenarios where technologies such as end‑to‑end encryption or WebSockets would otherwise prevent SWG from analyzing the content. Combining browser‑level enforcement with SWG inspection, organizations gain a layered defense that ensures files are scanned, validated, and controlled before they are uploaded, reducing the risk of data leakage or policy violations.

How it Works?

When a file is uploaded through a browser‑based application, it is submitted to SWG and scanned against the organization’s configured web and DLP policies before the application is granted access to the file.

SWG uses it’s existing Web and DLP policies to identify sensitive data patterns and perform content inspection during the upload process. Files are scanned in real time before they enter the browser application. During this inspection, SWG verifies compliance with the configured policies, including all DLP and other security rules.

If sensitive data is detected or a policy violation occurs, the upload is blocked, and the file is not permitted to reach the destination application. When Agentless Notification is enabled, the user receives a message stating: The content you attempted to upload is blocked by your organization’s security policy, along with violation details. The block page is tied to the specific policy that was violated and can be customized within the appropriate ruleset.

When these controls run at the browser level, File Upload Protection makes sure sensitive or unauthorized files are stopped before they’re sent out. This holds even in cases where encryption technologies, like end‑to‑end encryption or WebSockets, would normally prevent SWG from inspecting the content.

Use Cases for File Upload Protection in Web DLP 
Use Case 1 - Prevent Sensitive Files Shared via End‑to‑End Messaging App

An employee attempts to share a confidential file through an end‑to‑end encrypted messaging app. Because the traffic is encrypted, SWG cannot normally inspect or block the upload. With File Upload Protection enabled, the content is scanned before transmission. Sensitive data patterns are detected, and the upload is blocked locally. The user receives a notification, and the violation is logged for review.

Use Case 2 - Stop Unauthorized Source Code Uploads to GitHub  

A developer tries to upload proprietary source code to a public GitHub repository. SWG applies custom DLP rules to detect embedded credentials and intellectual property. The upload is blocked before transmission. The user receives a notification, and the event is recorded for compliance reporting.

Enable File Upload Protection for Browser

Follow the steps below to enable File Upload Protection:

  1. Navigate to Policy > Web Policy > Policy.
  2. On the Web Policy page, under the Policy Ruleset tree, open the Browser Control ruleset.
  3. Click the three‑dot menu, then under Add New Ruleset, select From Library.

    Image 1.png
     
  4. In the Browser Control Rulesets list, check the box for File Upload Protection.

NOTE

It is recommended to use Agentless Notification in conjunction with File Upload Protection, allowing users to be notified when actions are blocked. 

  1. Click Add to include the ruleset. 

    Image 2.png
     
  2. Go to Web > Policy > Web Policy > Policy Ruleset > Browser Control > File Upload Protection
  3. On the File Upload Protection page, locate the File Upload Protection rule.

NOTE: Scope the rule to specific sites or groups of sites where protection is required. Blocking text extraction from every site may reduce usability.

  1. Turn On the toggle to enable the rule.

    Image 3.png
     
  2. Review the settings on the page. Then select the yellow badge to save and publish the policy changes.

File Upload Protection occurs when a file is uploaded to the browser through a file selection dialog or drag-and-drop. If a file violates any configured policy rules, the browser will be blocked from accessing the file.

  • If Agentless Notification is enabled, a block notification appears to inform the user.
  • If Agentless Notification is disabled, no pop-up appears, but the upload is silently blocked in the background.

In both cases, the activity is recorded in the Audit Logs and DLP Incident.

File Upload Pre-scan is most effective when scoped to websites known to prevent inspection. Since SWG cannot scan uploads on encrypted (WhatsApp and Facebook Messenger) or WebSocket-based platforms (Copilot Web), targeting these sites ensures the feature provides actual security value. Secure Web Gateway (SWG) can already scan uploads for most websites, so enabling File Upload Pre-scan for all sites provides minimal additional benefit and may introduce unnecessary overhead. This is because content is uploaded twice during the File Upload Pre-scan process:

  • First upload. The file is sent to the Secure Web Gateway (SWG) for inspection before it proceeds anywhere else.
  • Second upload. After inspection, the same file is uploaded again to the destination website or application (for example, WhatsApp, Facebook Messenger, or Copilot Web).

Consider the potential impact on user experience and bandwidth usage, especially for large files or metered network connections, where duplicate uploads may lead to delays or additional charges.

Configure File Upload Protection Settings 

The File Upload Protection Settings include a key component: Preset Rules 

Preset Rules. You can Select Action under Preset Rules. This capability actively monitors multiple interaction methods, including form uploads, drop files, drop images, and clipboard pasting of files or images.

Select Action 
  • Block All:
    Follow these steps to block all paste, drop, and file selection actions, regardless of content or size.
    • Select Block All to block all rules.
    • Click the three‑dot menu and choose Select Block Setting.

      Image 4.png

      The Select End User Notification pane appears.
  • Choose the required notification from the list.
  • Click Save to apply the changes.

    Image 5.png
     
  • Pre‑scan: Select this option to have SWG inspect the file being pasted or dropped or the file selected, and block the action if policy detects sensitive content.  The text is scanned against the normal SWG policy.  Pre-scan has the following options: 
    • Set a scan size limit.
    • Choose a pre‑scan action if the text size exceeds the limit.

      The default action is Block.

      Scan Size Limit

      You can control which files undergo pre-scan by defining a maximum file size limit. This helps optimize performance and avoid unnecessary processing for oversized files. This setting allows you to define the maximum file size eligible for pre-scan inspection. Files exceeding this limit will bypass the pre-scan process and proceed directly to the destination application without being scanned.

DLP Processing Limits

Data Loss Prevention (DLP) scanning within SWG has built-in size restrictions:

  • The default limit is 50 MB.
  • The Advanced DLP entitlement is up to 250 MB.

Increasing the prescan limit beyond the DLP processing limit will result in the content not being DLP scanned. To enable scanning for larger files, update the default value in the Scan Limit settings.

To configure the scan size limit:

  1. Go to Web > Policy > Web Policy > Policy Ruleset > Browser Control > File Upload Protection.
  2. Within the File Upload Protection section, locate the Scan Limit under Preset Rules
  3. You can customize the scan size limit using the menu and select a value in KB, Bytes, MB, or GB.
  4. Click Save to apply the configuration.

After the configuration is saved, any file uploaded via a browser that exceeds the configured scan size limit will bypass the pre-scan process. These files are not blocked and will continue to upload without inspection.

Options when the limit is exceeded:

  • Block – Recommended for very large files to avoid network lag.
  • Allow – Permits the upload even if the file size exceeds the limit.


Image 6.png
 

Detect Pre-scan Requests in SWG policy

The pre-scan request uses a standardized URL format: https://xxxxx/skyhigh/aaaaaa/filename where xxxxxx represents the domain of the currently loaded page in the browser; pppppp is the SWG policy name that enabled the drag or paste inspection, and aaaaaa will be either paste.file, drop.file, and change.file, depending on the action the user is taking, and the filename is the name of the file selected by the user. This URL can also be detected in SWG policy and used to specify different policy behaviour for prescan requests, using normal policy scoping conditions.

This URL is logged in DLP incidents and audit logs for visibility and tracking.

 

  1. Back to top
  • Was this article helpful?

Recommended articles

  1. Article type
    Topic
  2. Tags
    This page has no tags.