So far, media files are served by the proxy. This means that they are bypassing authentication. In other words: Uploaded files are not protected at all.
I recently stumbled upon django-protected-media which uses the
X-Sendfile mechanism to support protected media files. I did not end up using that library because it assumes that some media files should be protected while others should be public. That is really not required in our case. Bending the configuration to fit our needs would be overly complicated. So I instead ported the relevant functionality to castellum directly.
Note that this is optional: The default still is that castellum/django does not serve media files in production. However, the new settings allow to use a more secure alternative (we can really not prevent admins from bypassing castellum).