Find out about the latest from Cloudmersive.

Restrict File Upload Types to Limit your Threat Profile
5/18/2023 - Brian O'Neill


Why Limit File Upload Types?

The availability and affordability of scalable Cloud Storage solutions has increasingly made direct file upload processes more viable for businesses of all sizes around the world. The benefits of incorporating such processes are clearcut: allowing client-side users to rapidly share things like resumes, insurance claims, photos, and support documentation directly through a file upload portal into a dedicated storage instance simultaneously streamlines business efficiency and improves users' experiences.

However, laying out a direct path between a storage instances and external users also opens the door to some new and daunting security challenges. This makes it possible for threat actors (meaning malicious client-side users intending to exploit a system for some monetary gain, or merely to damage its reputation for personal reasons) to carry out cyber-attacks by weaponizing file uploads in a variety of subtle ways. Many common file formats can be injected with viruses, malware, scripts, macros, and other forms of non-malware threats, and if file upload security policies aren’t carefully evaluated, monitored, and regularly updated to detect these threats, perpetrators can rapidly steal data from a system or compromise access to it entirely.

The growing prevalence of file upload threats makes it crucial for businesses with direct file upload processes to implement powerful, exhaustive policies in defense of their sensitive storage instances - as well as in defense of their trusted client-side users' environments. That starts with deploying anti-virus and anti-malware policies at critical points around a network, but it doesn’t end there. It’s just as important to include rigorous content verification policies that explicitly ignore (i.e., don’t trust) file extensions and headers when validating file upload contents. Considering there are dozens of viable file formats which client-side users can choose before uploading their content for any given business service, however, broad scale content verification can appear to force an uncomfortable choice between upload security and upload efficiency.

Thankfully, there's a simple and balanced solution to this problem. Rather than tackle the problem of validating/verifying dozens upon dozens of unique file formats head-on, it's best to limit the scope of the problem by disallowing unnecessary file types entirely. If, for example, a SaaS website implements a file upload process allowing customers to provide photo documentation alongside their application support tickets, there’s virtually no need to expand the list of viable image formats beyond .PNG or .JPG. Logically, most screenshots are automatically stored in .PNG format anyway, so allowing more complex formats (like .BMP or .TIFF, for example) into the fold is unnecessary to begin with. Once viable file formats are limited to a short list, the process of validating and verifying each new file’s contents becomes far more efficient and dependable, all without having any adverse impact on users' experiences.

Set Custom File Type Restrictions via the Cloudmersive Advanced Virus Scan API

You can easily set custom restrictions on file upload types using the Cloudmersive Advanced Virus Scan API. The restrictFileTypes policy allows you to provide a comma-separated list of file formats which are acceptable for your specific workflow’s needs. Once this policy is configured, all file uploads will receive full, in-depth content verification against this list of viable extensions, and any files NOT matching the extensions provided on the list will receive a CleanResult: False Boolean in the API response body. This makes it easy to rapidly block dozens of potentially dangerous file uploads and instantly improve your website’s file upload threat profile.

Additionally, as its title suggests, the Cloudmersive Advanced Virus Scan API will, by default, scan all file uploads against a growing list of more than 17 million virus and malware signatures, including ransomware, spyware, trojans, and additional non-malware threats. This service leverages high-speed in-memory scanning to deliver sub-second typical response times.

For more information on how the Cloudmersive Advanced Virus Scan API can impact your business, please reach out to a member of our sales team.

800 free API calls/month, with no expiration

Get started now! or Sign in with Google

Questions? We'll be your guide.

Contact Sales