A few years ago, I walked into what looked like a simple bug: "Image upload not working for some users."
Nothing serious, right?
Wrong.
During debugging, I found a user trying to upload a .jpg file that wasn't really a .jpg file. They had slipped in a file with dual extensions: invoice.png.php.
And our server was happily accepting it. Why?
Because the upload route only performed a basic string check on the file extension—it completely ignored the actual MIME type of the file's content.
If that file had been executed by the web server, it would have been game over: Full Remote Code Execution (RCE) on our application server.
The core issue wasn't a missing line of code; it was a fundamental flaw in the security architecture. The fix wasn't a patch...
It was a mindset shift: focusing on secure defaults, not hoping the "developer remembers to check everything" on every single upload endpoint.
The Secure Defaults Checklist for File Uploads
We ended up centralizing and hardening the entire upload logic into one, reusable module. After that, every upload route in the application became automatically safer.
Here's the checklist that saved us:
- MIME Type Validation (The Gold Standard): We stopped trusting the file extension. We now use libraries (like PHP's Fileinfo or Node's MIME-Type packages) to read the file's header bytes and determine its true content type. Only explicitly whitelisted MIME types are allowed (e.g., image/jpeg, image/png).
- Random, Sanitized Filenames: The original filename is discarded and replaced with a cryptographic hash or a UUID. This prevents path traversal, overwriting critical files, and extension-based attacks like the one we saw.
- Strict Size Limits: Implementing a strict max size limit to prevent Denial-of-Service (DoS) attacks and buffer overflows.
- Isolated Upload Directory: The storage directory for uploads is placed outside the web root and is not configured for execution. The web server is explicitly told not to process files in that folder as scripts (e.g., disabling PHP execution via .htaccess or server configuration).
- Configuration Lock Down: For frameworks and libraries (like Multer in Node.js), every configuration option was reviewed and set to the most restrictive, secure default.
- Logging & Monitoring: Comprehensive logging for all suspicious uploads (files failing MIME or size checks) to rapidly identify active attacks.
The Irony of "Broken"
The funny part? The original bug report still said: "Image upload doesn't work."
Technically true—but for a very good, security-critical reason. Our system was now correctly rejecting malicious input.
That's when I learned the hard truth: File uploads look harmless. They aren't. They are one of the most common vectors for initial compromise.
If you are not enforcing secure defaults in a centralized, unskippable way, you are one upload away from a security incident.