Coneshare Logo

Website Intake

Embed file request uploads on your own website

Use existing Coneshare file request links as embeddable upload forms, so users can submit files directly from your site without redirecting to a separate domain.

1. Iframe snippet

Example snippet using a real file request link:

<iframe
  src="https://app.coneshare.com/upload/zDgMPy5kRgNy78K8c2XSQg?embed=1"
  title="Secure file upload"
  width="100%"
  height="760"
  style="border:0;max-width:720px"
  loading="lazy"
  referrerpolicy="strict-origin-when-cross-origin">
</iframe>

Reusable template:

<iframe
  src="https://app.coneshare.com/upload/<file_request_slug>?embed=1"
  title="Secure file upload"
  width="100%"
  height="760"
  style="border:0;max-width:720px"
  loading="lazy"
  referrerpolicy="strict-origin-when-cross-origin">
</iframe>

2. Live embed preview

This preview embeds https://app.coneshare.com/upload/zDgMPy5kRgNy78K8c2XSQg directly for documentation and testing.

3. Reverse proxy headers (required)

In production, configure embed security headers at your front reverse proxy (HTTPS edge), not inside the Coneshare container runtime config.

# Default: deny framing for all routes
location / {
  proxy_pass http://coneshare_upstream;
  add_header X-Frame-Options "DENY" always;
  add_header Content-Security-Policy "frame-ancestors 'none'" always;
}

# Embed-enabled upload route only
location ~ ^/upload/ {
  proxy_pass http://coneshare_upstream;

  # Remove restrictive upstream headers on embed route
  proxy_hide_header X-Frame-Options;
  proxy_hide_header Content-Security-Policy;

  # Explicit allowlist for trusted embed origins
  add_header Content-Security-Policy "frame-ancestors 'self' https://www.example.com" always;
}
  • Use explicit HTTPS origins in frame-ancestors.
  • Avoid wildcard origins in production.
  • If your app is mounted under a prefix (for example /app/upload/...), adjust route matching.

4. Upload flow and validation

Embed mode uses the same backend flow and validations as standard public upload:

  1. Request upload URL (/api/v1/public/file-requests/<slug>/request-upload/)
  2. Direct upload to returned pre-signed URL
  3. Finalize upload (/api/v1/public/file-requests/<slug>/finalize-upload/)

Size limits, allowed types, active/expiry checks, quota checks, and finalize validations are unchanged.

Need end-to-end setup guidance?

See full feature documentation for file requests and embed security details.

View live demoRead docs