Search code examples
securityimageuploadpreview

Securing anonymous image uploads

Sites like www.ebayclassifieds.com let users upload images in order to see thumbnail previews and make image adjustments before posting content. Visitors are able to upload images to those sites anonymously without any authorization beforehand.

Can the same type of image previews be done for a smaller site that has bandwidth and disk space constraints? I'd guess that one would set up a cron job to periodically delete images that were anonymously uploaded. But what are other measures that can be taken so that bandwidth usage and disk space don't get out of hand, in case someone tries to spam your site with bogus image uploads?

Solution

  • Here are some ideas off the top of my head:

    1. Use session state to keep track of uploaded files and delete them automatically when the session expires.
    2. Limit uploads per session/visitor (ie. one per anonymous visitor)
    3. Limit the maximum size of a file that can be uploaded.
    4. Limit image types to only those that are compressed (ie. don't allow BMPs)
    5. Scale the images down to a reasonable size as soon as they are uploaded. You probably don't need full size.