2 Min

How to handle user uploads

This is part 2 of the security series on how to secure a website. See part 1 for using the right permissions.

 

So assuming you set the right permission what should you do to handle the case of displaying user uploaded content. For example what you see on this site.
Here a user can upload a file (images) and use it in their articles?

The upload:

The first step is to upload to a directory that is only used for user uploadable content, never mix with "your" stuff. Bonus points for extra directory per user.

A filter

a good idea would be to add some filtering (like anti-virus) on the uploaded files before making them available. Or only allow a specific set of file to upload.
Or, as done here, limit upload to users that you know by doing an identity check. I'm using this approach, since I'm forced to do this anyway because of money laundry and anti-terror laws, a part of the drawbacks of the crown funding part of the website.

Public access

In the case of this website, the uploaded content is visible only with an extra subdomain. A subdirectory would work, but has a few drawbacks.
When using a seperate (sub)domain you can limit the exposure of cookies (which you should only use when absolutely necessary anyways). For example here:
normal visitors never get a cookie. Cookies are only used after login to work with the "extra" functions like subscription, messaging, settings, modify content a.s.o.

Using a dedicated (sub)domain limits the Cookie spread.

But more important is the server side setup. On this user upload directory you need to disable all potential server side rendering engines like php, python, cgi and similar.

Please check your web server manual to do this.

Also you need to disable any per directory config changes via .htaccess or similar.

So even when your filtering fails, it should not be possible to server-side execute things.

What about client side things?

You may filter out Javascript on the filter above, but assume it will fail some obscure way and a javascript may end up on the upload directory. Now it is time for some client side protections.

But this is a bit more complicated so this will be a dedicated article about CSP or Content Security Policy.