Hello Stack Overflow community,
I'm currently part of a project where there was recently a suggestion for exposing a backend API endpoint on a public website that generates signed URLs for users to upload their personal identification documents (e.g., driver's license, passport, birth certificate) to a GCP bucket. The website is designed to be accessed anonymously without any user authentication.
I have major reservations about this approach due to the following concerns:
Highly Sensitive Data: The documents in question are extremely sensitive, carrying significant risks if exposed or misused. Potential for Malicious Uploads: There's nothing preventing anyone from continuously generating signed URLs and uploading irrelevant or harmful content. Bucket Capacity and Costs: Abuse of this feature could drastically increase our storage costs.
To address these concerns, I suggested implementing an API endpoint that receives the file uploads directly. This way, before saving the file, we can:
Vet the upload by checking the file type and size.
Scan for malicious content using tools like ClamScan or similar libraries, given our backend is built with Node.js/TypeScript.
However, my suggestion hasn't been dismissed. I'm seeking external perspectives to understand better if my apprehensions are warranted and if my proposed solution is more secure. Are there other best practices or alternative methods we should be considering to handle such uploads securely?
Thanks in advance for your insight s!