Ask HN: How to handle user file uploads?
Upload architecture
- Many use S3 with pre‑signed URLs so clients upload directly, avoiding backend bandwidth and latency.
- Common hardening: restrict file extensions/types, set size limits (e.g., via
Content-Lengthor presigned POSTcontent-length-range), and quarantine uploads in a dedicated “upload” bucket. - Post‑upload pipelines: S3 events → Lambda / queue / worker → validation, virus scan, re‑encoding, thumbnailing, then move to a “processed” bucket.
- Some prefer routing uploads through the backend (EC2/FastAPI/etc.) for easier validation and local testing, arguing upload volume is typically low.
Security & malware scanning
- Techniques include:
- File-type validation by magic bytes / signatures (not just extensions or MIME).
- Antivirus: ClamAV, commercial engines/APIs, VirusTotal hash checks, and government analysis services.
- ClamAV is described as easy to integrate but slow, memory‑hungry, and with mediocre detection; some abandoned it after testing.
- Others argue AV adds attack surface (CVE‑prone, complex) and should be heavily sandboxed (ephemeral containers, no network, strict IAM).
- There’s debate whether AV is worth it vs. strict whitelisting of formats and robust parsing.
Image/video processing
- Strong consensus: don’t serve raw uploads.
- Re‑encode images, generate fixed sizes, strip EXIF/geo and other metadata, sometimes discard originals or archive them separately.
- Helps mitigate codec/lib vulnerabilities, reduce storage/bandwidth, and normalize formats.
- Tools and approaches:
- Image: libvips, ImageMagick, nginx image filter, pict‑rs, imgproxy, Cloudflare Images, Cloudinary, Transloadit, custom C/WASM pipelines outputting raw RGBA.
- Video: ffmpeg, AWS MediaConvert/Elastic Transcoder, Cloudflare Stream, Wistia/BunnyCDN; usually queued/offloaded due to cost and RCE risk.
- Re‑encoding itself can be a vector (codec exploits, zip‑bomb‑like images), so processing is often isolated (seccomp, separate machines, minimal privileges).
Serving & delivery
- Advice: never serve directly from S3; use CloudFront or another CDN for performance, caching, and cost.
- For untrusted content, suggestions include:
- Separate domain for user content (especially for HTML/SVG/PDF).
- CSP
sandbox,X-Content-Type-Options: nosniff, and avoiding type sniffing issues.
Abuse, privacy & threat modeling
- Concerns include CSAM, NSFW content affecting monetization, large “bomb” files, and exploits via images/video.
- Some recommend NSFW detectors plus rate‑limiting and “silent reject” patterns.
- Multiple comments stress starting with a threat model (who uploads, who views, what’s at risk) to avoid both under‑ and over‑engineering.