Tuesday 6 October 2020

Image / File storage / upload Best practice

I read couple of blogs and came across these guidelines:

Firstly where to store the image:

  1. Amazon S3. The uploaded image can simply uploaded to Amazon and the URL stored in the DB.
  2. Save the files to the disk or disk server or cloud



Flaws in storing in a Database:

  1. Losing space on the database server.
  2. Slows down the database server by: 
    1. Transmitting the entire picture in it’s query response to the webserver.
    2. Webserver sends this to the requesting browser. 
    3. Large Bandwidth usage
  3. If the user is uploading the images to the server will effect hosting price.
  4. Database is not designed to work as file storage.


Where not to store:

  1. Not within the website structure where they can be accessed by a URL.
  2. Not in a username folder.
  3. Do not store all the image in one folder. Create different folders and limit the number of images that can be stored in a folder

Please read the below link to check how many files can be saved in a directory. Consider the fact that its an old answer and may differ from todays facts
https://stackoverflow.com/questions/466521/how-many-files-can-i-put-in-a-directory
 

Precautions while storing image:

  1. Avoid user provided image names.
  2. Resize the images.
  3. Open and check the files contents to be an image. Do not rely on the file extensions and mime type


Guideline while uploading images:
These are taken from acunetix.com

    Define an .htaccess file that will only allow access to files with allowed extensions.
    Do not place the .htaccess file in the same directory where the uploaded files will be stored, instead, place it in the parent directory. This way the .htaccess file can never be overwritten by an attacker.
    A typical .htaccess which allows only GIF, JPG, JPEG, and PNG files should include the following (this should be adapted as necessary for specific requirements). The following will also prevent double extension attacks:

    deny from all <
    files ~ “^w+.(gif|jpe?g|png)$”>
    order deny,allow
    allow from all
    </files>

    If possible, upload the files in a directory outside the server root.
    Prevent overwriting of existing files (to prevent the .htaccess overwrite attack).
    Create a whitelist of accepted MIME-types (map extensions from these MIME-types).
    Generate a random file name and add the previously generated extension.
    Don’t rely on client-side validation only, since it is not enough. Ideally, both server-side and client-side validation should be implemented.


For Best Size please read the guidelines here:
https://flothemes.com/flothemes-image-sizes/

Good resources to read:
https://www.acunetix.com/websitesecurity/upload-forms-threat/


Posted by at
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)