Secure /uploads file

That’s how Strapi works right now, you can auth the endpoints but not the files themselves when you fetch them, to do that you’d need to do something like this: