File Upload Security Best Practices

File uploads are a favorite attack vector because they look harmless until they aren't. A single malicious PDF, a crafted SVG, or a 5 GB payload can become a security incident or an outage. In this guide we'll cover the end-to-end checklist for secure uploads—server-side auth, validation, malware scanning, safe delivery—and show how to make it stick without slowing your team down.

1) Authenticate on the server, not the client

The browser should never decide who can upload. Handle identity on your server, mint short-lived permissions, and send the minimal data the client needs to start streaming. Keep API keys and secrets out of client bundles. With UploadBird, middleware runs before any bytes are accepted, so you can check sessions, roles, and rate limits first.

2) Validate early and often

• Extensions lie: inspect MIME types and, for critical flows, magic bytes to verify actual file type.
• Size caps: enforce server-side limits to prevent denial-of-wallet and DoS. Mirror limits in the UI for better UX.
• Allow lists over block lists: explicitly allow expected types; block lists age poorly.

3) Scan for malware and unwanted content

Every upload should pass through malware and NSFW scanning before it's delivered. Relying on client scanning or after-the-fact checks leaves windows open for abuse. UploadBird runs multi-engine scans in-line and quarantines flagged files, emitting webhooks and audit logs so you can react.

4) Keep storage and access private by default

Public buckets plus guessable URLs are an invitation for scraping and leakage. Use signed URLs with short expirations for private assets, and make "private" the default stance. UploadBird issues signed URLs automatically so you don't hand-roll presigned URL logic.

5) Handle large files safely

Chunked uploads with resumability protect users on shaky networks and reduce failed uploads. Parallel parts need integrity checks and cleanup on abort to avoid orphaned parts and surprise bills. UploadBird handles multipart uploads and retries transparently, reporting progress events you can reflect in UI.

6) Protect downstream delivery

Delivery is part of security. Optimize images to reduce bandwidth spikes, apply content security policies to prevent mixed content issues, and sign delivery URLs for sensitive assets. Region-aware delivery keeps data where compliance demands. UploadBird's CDN layer includes signed URLs, automatic optimization, and region pinning.

7) Log everything, alert on the right things

Keep structured logs and audit trails for who uploaded what, when, from where, and how it was scanned. Alert on spikes in failed scans, unusual file types, and anomalous upload volume. UploadBird emits lifecycle events and audit logs so you can pipe them to your SIEM without custom glue code.

A secure-by-default pattern

export const fileRouter = {
  documents: f({ pdf: { maxFileSize: "20MB" } })
    .middleware(async ({ req }) => {
      const user = await auth(req);
      if (!user) throw new UploadThingError("Unauthorized");
      return { orgId: user.orgId, userId: user.id };
    })
    .onUploadComplete(async ({ metadata, file }) => {
      await audit("upload.complete", { file, metadata });
      await notify(metadata.orgId, file.url);
    }),
};

Follow these steps and you get a file pipeline that's boring in the best way: predictable, observable, and safe. UploadBird bakes these controls in so you can focus on product work instead of reinventing security plumbing.