Take precautions when accepting file uploads through your site Copy

When anyone has the option to upload something to your website, they could abuse the privilege by loading a malicious file, overwriting one of the existing files important to your website, or uploading a file so large it brings your whole website down. 

If possible, simply don’t accept any file uploads through your website. Many small business websites can get by without offering the option of file uploads at all. If that describes you, you can skip everything else in this step.  

But eliminating file uploads isn’t an option for all websites. Some types of businesses, like accountants or healthcare providers, need to give customers a way to securely provide documents. 

If you need to allow file uploads, take a few steps to make sure you protect yourself:

• Create a whitelist of allowed file extensions. By specifying which types of files you’ll accept, you keep suspicious file types out.
• Use file type verification. Hackers try to sneakily get around whitelist filters by renaming documents with a different extension than the document type actually is, or adding dots or spaces to the filename. 
• Set a maximum file size. Avoid distributed denial of service (DDoS) attacks by rejecting any files over a certain size. 
• Scan files for malware. Use antivirus software to check all files before opening.