Forums

User-uploaded content

I'm working on an app with user uploaded content.. reading through the Security portion of the Django docs, about User-uploaded content specifically, it seems most solutions are on the server side. Does PythonAnywhere have any suggestions on this topic when deploying to PythonAnywhere servers?

For the first two things they suggest:

If your site accepts file uploads, it is strongly advised that you limit these uploads in your Web server configuration to a reasonable size in order to prevent denial of service (DOS) attacks. In Apache, this can be easily set using the LimitRequestBody directive.

We already have the equivalent nginx configuration in-place, so you don't need to worry about that.

If you are serving your own static files, be sure that handlers like Apache’s mod_php, which would execute static files as code, are disabled. You don’t want users to be able to execute arbitrary code by uploading and requesting a specially crafted file.

If you're using the "Static files" table on the "Web" tab to set up your static files, that is also in-place and working.

The other item -- to do with validating user-uploaded content carefully and perhaps serving it from a different domain -- is something you'd need to implement yourself, as the implementation would be very specific to the way your site works -- like they say, there's no general solution.