User Uploads - how to handle files


I’ll start this by saying I am not a developer but I am looking for advice. I have a site built in Yii2.0 (Advanced template). I am looking for a correct solution so I can advise my developer of what I want him to do for me.

At present registered users (who have Signed In) on my site can upload files

  • Avatar profile images
  • other files to their account (word docs, pdfs etc)

These files are confidential and only they and other linked users on their company account should be able to access/view them.

Current setup:
User uploads files and the files go into the Upload folder in the web root.
(location: frontend/web/upload)

The Problem - these files can be accessed by anyone who has the full URL to the file. (example:
While it is unlikely that anyone would know the URL, it is still a big security risk.
Also, I am worried about web crawlers crawling them even if I block them with robots file.

I am looking for the best way of securing these in the Yii framework. I have looked through the forums and see different mentions of backend/web/upload, symlinks, putting files in DBs etc but I want to know is there any industry standard ‘gold plated’ Yii recommended solution that I can get implemented.

My idea’s so far are:

  • upload to directory not in web root but then I don’t know how to access them for Signed In users. Can this be done?
  • upload files to the DB and keep them away from the Yii files on the server
  • upload files to a cloud repository (S3 bucket)
  • use htaccess to protect the uploads folder in some way

Any suggestions/recommendations would be appreciated.

My main concerns are security…

  1. the wrong people accessing them
  2. how do I scan files to block potential malware that someone may have uploaded

I understand that point 2 is separate but it is part of my security concern. I am worried that if the files are sitting on the server with the main Yii files and there is Malware in an upload, could it corrupt my whole site?

Many thanks

  1. Upload files to non-public directory.
  2. Check access and send files via.

Likely you can use Haven’t personally tried it but should work well. At least their reports for manual uploads are fine.

No, that won’t happen. If uploaded files aren’t executed, there’s no harm in they being stored except, of course, serving these to your users.

I suppose it’s better to generate personal temporal links and serve them with secure links nginx module (other servers may support something similar).