File Upload Security Checklist: 14-Item Guide for Safe Uploads

TL;DR

File uploads are dangerous. Validate file types by content (not extension), set size limits, store files outside your web root, generate random filenames, and never execute uploaded content. 5 critical items must be fixed before launch, 5 important items within the first week, and 4 recommended items when you can.

Quick Checklist (5 Critical Items)

Validate file type by contentCheck magic bytes or MIME type, never trust extensions alone

Whitelist allowed file typesOnly accept specific file types you need, reject everything else

Store outside web rootUploaded files should never be directly accessible via URL

Never execute uploaded contentTreat all uploads as untrusted data

Implement authorization checksVerify users can only access their own uploads

File Validation 4

Validate file type by contentCheck magic bytes or use MIME detection libraries. Never trust file extensions alone. How to validate file types

Whitelist allowed file typesOnly accept specific file types you need. Reject everything else. Never blacklist. How to whitelist file types

Set maximum file size limitsPrevent denial of service from large uploads. Set limits at both client and server. How to limit upload sizes

Sanitize filenamesRemove special characters, path traversal sequences (../), and null bytes from filenames. How to sanitize filenames

Storage Security 4

Store outside web rootUploaded files should never be directly accessible via URL in your application directory. How to secure file storage

Use cloud storage with signed URLsS3, Cloud Storage, or similar. Serve files via time-limited signed URLs for access control. How to use signed URLs

Generate random filenamesDo not use original filenames. Generate UUIDs or random strings to prevent conflicts and enumeration. How to generate secure filenames

Set correct content types when servingServe files with Content-Type header matching actual type. Add Content-Disposition: attachment for downloads. How to set content headers

Malware Protection 3

Scan uploads for malwareUse ClamAV or cloud-based scanning for documents and executables. Block detected threats. How to scan for malware

Re-encode imagesProcess and re-encode uploaded images. This strips embedded scripts and metadata. How to re-encode images

Never execute uploaded contentUploaded files should never be interpreted or executed. Treat all uploads as untrusted data. How to prevent execution

Access Control 3

Implement authorization checksVerify users can only access their own uploads. Check permissions on every download request. How to authorize file access

Rate limit upload requestsPrevent abuse by limiting how many files and how much data users can upload. How to rate limit uploads

Log upload activityTrack who uploads what. Useful for abuse detection and incident investigation. How to log upload activity

Uploads Are a Major Attack Vector

File uploads are consistently one of the most dangerous features to implement. A single vulnerability can let attackers upload malicious scripts and gain full control of your server. The OWASP top 10 includes unrestricted file uploads as a critical risk.

When in doubt, do not accept uploads at all. If you must, use cloud storage with signed URLs, validate everything, and never execute uploaded content.

How do I validate file types securely?

Do not trust file extensions. Check the file content using magic bytes or MIME type detection libraries. Even then, be cautious. Attackers can craft files that pass MIME checks but contain malicious content.

Should I scan uploaded files for malware?

Yes, if accepting files that could contain malware (documents, executables). Use services like ClamAV or cloud-based scanning APIs. For images, re-encoding can strip embedded malware.

Is it safe to accept image uploads?

Images are safer than documents or executables but still risky. Validate MIME type, re-encode using an image library (strips metadata and embedded code), and serve from a separate domain or cloud storage.

TL;DR

Quick Checklist (5 Critical Items)

File Validation 4

Storage Security 4

Malware Protection 3

Access Control 3

Uploads Are a Major Attack Vector

How do I validate file types securely?

Should I scan uploaded files for malware?

Is it safe to accept image uploads?

Related Articles

API Security Checklist

How to Implement Secure File Uploads

How to Use S3 Signed URLs

Check Your Upload Security

File Upload Security Checklist: 14-Item Guide for Safe Uploads