Precautions for Public CV/Resume Upload
Unanswered
VoidPointer posted this in #help-forum
I need to add a feature where Joe Public can submit his CV to apply for a job, and we would rather do this without him having to register and authenticate. I've never really dealt with open, public uploads like this and I'm wondering about what measures I could implement to minimize the risk of attack. File type and size checks are the first that come to mind, then rate limiting.
I'm storing the files on Firebase cloud storage, but I'd rather do what I can before relying on whatever that has available.
I'm storing the files on Firebase cloud storage, but I'd rather do what I can before relying on whatever that has available.
5 Replies
Saint Hubert Jura Hound
Not having auth could make it a lot harder to prevent ddossing. Ip based rate limiting can only get u so far. Id personally go for auth for file uploads especially but if u must go public use a captcha and have ur backend verify the token before issuing a presigned upload url
Upload to a "quarantine" bucket where u run a mime sniffer on the file before moving to a public bucket to catch content type spoofing
Theres still a bunch more like serving public files from a different subdomain to prevent xss, deduplication, file size limits, but too much to talk about in a few messages. U might wanna look up more details on each stage of the flow
Upload to a "quarantine" bucket where u run a mime sniffer on the file before moving to a public bucket to catch content type spoofing
Theres still a bunch more like serving public files from a different subdomain to prevent xss, deduplication, file size limits, but too much to talk about in a few messages. U might wanna look up more details on each stage of the flow
American black bear
If you do rate limiting file type checking and size checking correctly you will be safe 99.9 percent of the time espically if you're a small company the only other thing I can suggest is a function that checks if the pdf or File they uploaded is safe
@American black bear If you do rate limiting file type checking and size checking correctly you will be safe 99.9 percent of the time espically if you're a small company the only other thing I can suggest is a function that checks if the pdf or File they uploaded is safe
Thanks. It is a small company. I'm going to try use the uploads and forms feature native to Payload for this, and add a captcha, and a nice disclaimer in my agreement with the client.
also ensure to have a recapture and ratelimiting to avoid spam
you can use captcha also