Securityintermediate

File Upload Security

Security measures to prevent malicious file uploads from compromising the server, other users, or the application.

Also known as: upload validation, file upload protection, secure file handling, upload sanitization

Description

File upload functionality is one of the most dangerous features in web applications because it allows users to introduce arbitrary content to the server. Without proper security controls, file uploads can lead to remote code execution (uploading web shells or executable files), cross-site scripting (uploading HTML/SVG files with embedded scripts), denial of service (uploading extremely large files), path traversal (manipulating filenames to overwrite system files), and storage abuse.

Secure file upload handling requires a multi-layered approach. File type validation should check both the file extension and the actual content (magic bytes) rather than trusting the Content-Type header, which is client-controlled. File size limits should be enforced at both the web server and application level. Uploaded filenames should be replaced with randomly generated names to prevent path traversal and overwrites. Files should be stored outside the web root or in cloud object storage (S3, GCS) rather than on the application server, and should be served through a separate domain or CDN with appropriate Content-Disposition headers.

Additional protections include antivirus scanning for uploaded files, image re-processing to strip embedded scripts (ImageMagick or Sharp can re-encode images, removing malicious metadata), Content-Type header enforcement when serving files back (never let the browser guess the type), disabling script execution in upload directories, and imposing per-user upload rate limits and storage quotas. For applications that allow document uploads, consider sandboxed preview rendering rather than direct delivery.

Prompt Snippet

Validate file uploads at multiple levels: check magic bytes (file-type npm package) to verify actual content type regardless of extension or Content-Type header. Enforce maximum file size at the reverse proxy (nginx client_max_body_size) and application level (multer limits). Replace original filenames with UUIDs (crypto.randomUUID() + validated extension) to prevent path traversal. Store uploads in S3/GCS with private ACLs, serve via signed URLs with Content-Disposition: attachment and explicit Content-Type headers. Re-process images through Sharp to strip EXIF data and embedded scripts. Scan uploads with ClamAV before persisting. Restrict allowed MIME types to an explicit allowlist (image/png, image/jpeg, application/pdf).