I’ll start this by saying I am not a developer but I am looking for advice. I have a site built in Yii2.0 (Advanced template). I am looking for a correct solution so I can advise my developer of what I want him to do for me.
At present registered users (who have Signed In) on my site can upload files
- Avatar profile images
- other files to their account (word docs, pdfs etc)
These files are confidential and only they and other linked users on their company account should be able to access/view them.
User uploads files and the files go into the Upload folder in the web root.
The Problem - these files can be accessed by anyone who has the full URL to the file. (example: www.sitedomain.com/upload/user/30/file.png)
While it is unlikely that anyone would know the URL, it is still a big security risk.
Also, I am worried about web crawlers crawling them even if I block them with robots file.
I am looking for the best way of securing these in the Yii framework. I have looked through the forums and see different mentions of backend/web/upload, symlinks, putting files in DBs etc but I want to know is there any industry standard ‘gold plated’ Yii recommended solution that I can get implemented.
My idea’s so far are:
- upload to directory not in web root but then I don’t know how to access them for Signed In users. Can this be done?
- upload files to the DB and keep them away from the Yii files on the server
- upload files to a cloud repository (S3 bucket)
- use htaccess to protect the uploads folder in some way
Any suggestions/recommendations would be appreciated.
My main concerns are security…
- the wrong people accessing them
- how do I scan files to block potential malware that someone may have uploaded
I understand that point 2 is separate but it is part of my security concern. I am worried that if the files are sitting on the server with the main Yii files and there is Malware in an upload, could it corrupt my whole site?