2

I've done a lot of searching on SE and particularly here in regards to preventing issues or attacks for an image based website to accept image uploads, but I haven't seen anyone mention the idea of adding a limit on the number of file uploads per a period of time on the server, and wondered if this would be a good addition?

So far I have read:

Are there any other security precautions to think about? I did read how images should be renamed. I've been thinking about using a 3rd party image API for the site, but I'm still looking into its security and implementation.

2 Answers2

4

The challenge you are going to face is how you identify the remote user. It's not very hard for a remote client to change their "appearance" (browser, browser version, cookies, browser plugins, IP address, etc) and look like a new client.

If you place a cookie on their browser that indicates they've uploaded a file they can clear that cookie and upload again.

If you add a flag to their session (tracked server side matching a session cookie you give them) indicating they've done an upload, then they can create multiple accounts.

The better approach may be to:

  1. Decrease the value of spamming your site, taking away their incentive
  2. Improve your ability to detect and remove spam messages (either before or after they are posted)
u2702
  • 2,086
  • 10
  • 11
1

From what I understand, you are trying to limit a user from abusing the file upload functionality by uploading files via automated scripts or something similar. There are two ways to handle this:

  1. Create a control on the server side preventing the user from uploading greater than X number of files in Y time. For example, only 10 images per every 5 minutes.
  2. Implement a CAPTCHA of some sort. Here's an answer that talks about what you can do.

You can also limit the size of each image upload, and have some sort of a routine that enforces a limit on how much a user can totally upload every day. For example, a daily limit for a user can be 500M, depending on how the site is used.