← Blog
Uploading

A guide to secure file uploads: how to make your website bullet-proof

Last edited:

Picture of Elizaveta DmitrievaElizaveta Dmitrieva

If you manage a website with user-generated content, you should know how to protect yourself from potential threats hiding in the upload process. Every day, 300 million images are uploaded to Facebook alone. Add to this almost 100 million photos and videos shared on Instagram daily, and the unmeasurable amount of all the other uploads on the internet… It’s no wonder that attackers take advantage of this opportunity to insert various malware into the system.

In fact, the third most common vulnerability attack on a WordPress website is conducted via file upload services. To make a long story short, the action plan to protect your website from the “bad guys” looks like this.

How to secure your file uploads step by step

  1. Understand what the “bad guys” want
  2. Explore which scenarios they use to attack your site
  3. Learn how to secure all the sensitive parts of the upload environment

So what can you do to secure a file upload site? For this guide, we selected the most common malware tactics and found the best security solutions that will let you sleep well at night.

Tactic #1. Overwrite and control

If this type of attack happened offline, it would look like this: a criminal breaks into your office, opens a safe with all the company documents, and substitutes, say, the company’s regulations with another document which is outwardly indistinguishable from the original. A similar activity occurs in the virtual dimension: a hacker uploads a file with the same name and extension as one you already have, which results in some very serious problems. The new file overwrites the existing one and the chaos begins.

What happens next? You have a Trojan horse in your sanctum sanctorum. Using the malicious file, hackers can launch an attack on your server, change security settings, crash your website, or open a faster path for future malware uploads.

Look at the case of Equifax: In 2017, the company suffered a massive cyberattack that resulted in the exposure of full names, birth dates, Social Security numbers and other personal data of almost 50% of the US population. The hackers found a vulnerability allowing them to execute malicious commands on the server when uploading files based on the parser. Among other malicious activities, they installed several fraudulent applications on the affected Equifax servers, and tried to infect the root directory and disable the firewall service on system boot.

How to deal with it? First sign in, then upload

Build a barrier that will restrict all anonymous users from uploading anything to your website. How to implement it? Here’s how we do it with File Uploader by Uploadcare: with the Signed Uploads feature, every user needs your permission to upload a file.

The signed uploads feature works in two ways:

First, you need to create a signature and an expiry date for the signature for your application. This signature will be used to sign all files uploaded from your application to Uploadcare servers. An example of how to do this in JavaScript will look like this:

import { generateSecureSignature } from '@uploadcare/signed-uploads'

// by the expiration timestamp in milliseconds
const { secureSignature, secureExpire } = generateSecureSignature('YOUR_SECRET_KEY', {
  expire: Date.now() + 60 * 30 * 1000 // expire in 30 minutes
})

Next, you can then use the signature secureSignature and expiry date secureExpire that you created to configure the File Uploader:

const config = document.querySelector('uc-config');
config.secureSignature = signature;
config.secureExpire = expire;

By using this approach, you can make sure that every file uploaded from your application is signed with an expiring signature. If someone attempts to upload a file into your project from outside your application, the Uploadcare servers will reject that file because it does not contain the signature you have set.

Also, it’s a good idea to use Authenticated URLs to control who has access to the uploaded information and for how long. Our File Uploader has this feature called signed URLs and when enabled, a user will require a token to access your content by a link like this:

https://cdn.yourdomain.com/{uuid}/?token=exp={timestamp}~acl={acl}~hmac={token}

Where:

  • token is the access token required by the user to access the file.
  • acl is the Access Control List, which determines the level of access the user has over the file.
  • timestamp is the duration of time for which the user has access to the file.

A signed URL includes authentication information in its query string, providing limited permissions and a specific time window for accessing the file.

Both techniques are important, and help us to make sure that an API key won’t be enough to break into your server and that no anonymous users get access to the data.

Tactic #2. Intercepting transferred files

If your service invites users to upload ID cards or any other personal documents, and if you store the uploaded files on a cloud service, security is especially crucial. Attackers often use so-called spoofing activity aimed at getting access to files stored in the cloud or transferred over the Internet.

Cybercriminals can easily intercept unencrypted files, so there’s a risk of not only putting private data in the wrong hands, but also besmirching your reputation for reliability, which will ensure that you won’t be a player in the same sector for very long.

How to deal with it? Encryption, encryption, encryption

The good news is that spoofing, or spying, is a very common hacking method, which means there is a variety of strong security measures you can implement. The best option is to have two types of encryption.

Firstly, use the SSL/TLS protocols to secure all traffic between the user’s browser and the upload servers, making it troublesome for attackers to obtain the access token (basically an access key given to the upload service by uploading sources like Facebook, Dropbox, etc.).

Secondly, if the hackers still manage to overcome the first layer of security and intercept the data, it’s better to further encrypt the access token passed in the upload request so it can’t be used anywhere but on your own server.

Use policies like Content Security Policy (CSP) to ensure that all of your user's content is loaded securely and to specify which content can be loaded when handling sensitive data.

Basically, the best way to protect sensitive data is not to gather it at all. For instance, at Uploadcare, when connecting your social media or other upload sources, we never request your passwords, store them, or have access to any of your data. As a result, there’s no risk of exposing any personal data, since there’s no such data on the server.

Tactic #3. The infamous DoS and similar attacks

Remember those movie scenes when a poor speaker gets a sudden shower of rotten tomatoes from the audience? These episodes often end with the speaker shamefully leaving the stage. In this scenario, attackers play the part of the angry audience: they simultaneously upload extremely large files, flooding your bandwidth with huge amounts of traffic.

Denial of service (DoS) and botnets are just a couple examples of this type of attack. This tactic leads to your website crashing — it becomes inaccessible and “leaves the stage” just like the victim of the rotten tomatoes.

How to deal with it? Limit the file sizes

To protect the stability of your service, you want to keep control over who and when can upload files to your website. Two-step verification can be useful here, as well as limiting the size of the file: both very large and very small files can be used for a DoS attack, so don’t forget to establish a minimum file size limit as well.

Tactic #4. Data vulnerability — a shortcut through the URL

This is a modern version of the old adage: “Never keep all your eggs in one basket.” Here, we assume that some attackers have managed to upload a malware file to your storage. How can you minimize the risks for your website and your clients’ data? The only option is to block the malicious file from being executed via the URL path; in other words, you’ll localize the negative effect in the storage folder and cut the access to your website’s information.

How to deal with it? Opt for an external storage directory or use a third-party uploader

What you need to do here is to direct user-generated content to a place outside of your website’s public directory. There are two ways to achieve this: you might prefer to create an external storage folder yourself, or you could use a third-party upload service like File Uploader by Uploadcare.

The first option is good for companies that can afford to pay developers to spend time creating an uploading infrastructure. The second one, on the other hand, is good for businesses who want to delegate the task to professionals and not spend their time maintaining and updating the security system. A reliable third-party solution, like an online data room, makes it easier to scale up the service, because all the infrastructure is already there, and experienced engineers will help tailor it according to your needs.

If you choose to try File Uploader, you don’t really need to keep reading this guide, since all the security solutions mentioned above and below are implemented there, and operate under the watchful eye of our developers.

Tactic #5. File extension manipulations

The file extension is always shown after the dot in the filename, like .gif or .png, right? Not quite, actually. When attempting to bypass security barriers, attackers often use “masks.” They can easily rename a malicious .exe file to .jpeg or any other allowed and commonly used file extension. That’s a surprisingly common way a virus can sneak into your system unnoticed.

How to deal with it? Verify file types after blacklisting the suspicious ones

Protection from “undercover” invasions includes two steps. First, make sure you restrict all the unnecessary and potentially harmful file types from being uploaded. Second, as the “masking tactic” can overcome this measure, you also need a feature which verifies if the contents of the files actually correspond to the extensions provided. Then, only verified files will be uploaded to the server.

Our File Uploader uses ClamAV to automatically detect and remove any malicious files uploaded, ensuring that your files are safe and secure.

Additionally, we offer automatic SVG file verification to safeguard against SVG files containing JavaScript code that could pose a potential threat. If JavaScript is discovered within an SVG file, it will be rejected from the uploading process

No time to worry about security? Delegate it!

If you feel that you have no time or desire to dive into these topics yourself, let us take care of both your security and your clients’ privacy.

Our File Uploader is compliant with industry-standard privacy and security measures such as:

  • Health Insurance Portability and Accountability Act (HIPAA): A set of privacy standards protecting patients' medical records, which is essential for all businesses that transmit health-related information.
  • GDPR: A regulation in EU law regarding data protection and privacy, which aims at granting control to individuals over their personal data.
  • System and Organization Controls 2 (SOC 2): A set of compliance standards developed by the American Institute of CPAs (AICPA) for organizations that handle sensitive customer data to protect the privacy and interests of their customers.

Data encryption, access control, backups and more: all of it made convenient with the full support of Uploadcare engineers.

Build file handling in minutesStart for free

Ready to get started?

Join developers who use Uploadcare to build file handling quickly and reliably.

Sign up for free
© 20112024 Uploadcare Inc.
Request status
SOC 2 Type 2 compliantGDPR compliantHIPAA-compliant environment