Precautions for Public CV/Resume Upload
Unanswered
VoidPointer posted this in #help-forum
I need to add a feature where Joe Public can submit his CV to apply for a job, and we would rather do this without him having to register and authenticate. I've never really dealt with open, public uploads like this and I'm wondering about what measures I could implement to minimize the risk of attack. File type and size checks are the first that come to mind, then rate limiting.
I'm storing the files on Firebase cloud storage, but I'd rather do what I can before relying on whatever that has available.
I'm storing the files on Firebase cloud storage, but I'd rather do what I can before relying on whatever that has available.
1 Reply
Saint Hubert Jura Hound
Not having auth could make it a lot harder to prevent ddossing. Ip based rate limiting can only get u so far. Id personally go for auth for file uploads especially but if u must go public use a captcha and have ur backend verify the token before issuing a presigned upload url
Upload to a "quarantine" bucket where u run a mime sniffer on the file before moving to a public bucket to catch content type spoofing
Theres still a bunch more like serving public files from a different subdomain to prevent xss, deduplication, file size limits, but too much to talk about in a few messages. U might wanna look up more details on each stage of the flow
Upload to a "quarantine" bucket where u run a mime sniffer on the file before moving to a public bucket to catch content type spoofing
Theres still a bunch more like serving public files from a different subdomain to prevent xss, deduplication, file size limits, but too much to talk about in a few messages. U might wanna look up more details on each stage of the flow