File upload security

Many web applications let users upload files remotely.

For example, WordPress lets you upload themes and plugins; Google lets you upload files on Google Drive; online apps like Canva let you upload your saved projects, and so on.

Chances are you will handle file uploads for your clients, too.

Allowing users to upload remote files comes with some security implications.

In this chapter you will learn how to handle remote file upload securely.

File upload and validation

Do you remember the first chapter about variable validation?

In that chapter, you learned how variables set from untrusted sources must always be validated before you can use them.

The same principle applies to uploaded files, too.

In fact, a file sent to your web application is just as untrusted as any request string value, because you have no control over the data that the clients will provide to your back-end.

Therefore, the first step for a secure file upload process is, once again, validation.

This time, the variables you need to validate are:

  • the file name
  • the file size
  • the file content

On top of that, there are a few more security practices to follow.

Let's start with file name validation.

Lesson takeaways

  • Many web applications let users upload files remotely.
  • Uploaded files cannot be trusted: you must validate them.
  • The specific variables to validate are the file name, the file size and the file content.

Complete and Continue