Design a secure file-upload service for a SaaS platform handling user-generated content.
Key Talking Points
- ✓Use pre-signed upload URLs (S3/GCS) so the browser uploads directly to object storage — the application server never touches raw bytes, reducing attack surface.
- ✓Validate file type server-side using magic-byte detection (e.g. libmagic), not just the `Content-Type` header or file extension, to prevent polyglot / MIME-sniffing attacks.
- ✓Store uploads in a bucket with no public access; serve files through a signed URL or an auth-gated proxy that checks the requester owns or has been granted access to the file.
- ✓Run uploads through antivirus / malware scanning (e.g. ClamAV, cloud scan API) before making them accessible to other users.
- ✓Strip EXIF/metadata from images (e.g. using Sharp) to prevent privacy leaks (GPS coordinates, device info).
- ✓Enforce file-size limits and per-user/tenant quotas at the upload layer to prevent storage abuse (DoS).
- ✓Namespace objects by tenant + UUID (never by user-supplied filename) to prevent path-traversal or enumeration.
- ✓Log every upload and download event (who, what, when) to an append-only audit log for incident investigation.
A secure upload service isolates storage from the web tier, validates content type (not just extension), strips metadata, and enforces access control on every retrieval. Pre-signed URLs are preferred over proxying blobs through the app.