undefined | Better HN

0 pointsjeroenhd4y ago0 comments

FYI, it seems to be back up now!

I did notice one potential flaw in the way your API/website works, though, which is that raw access to the uploaded files is enabled regardless of content type. This allows people to use your website to host scripts and other malicious files that they can reuse to execute XSS attacks against other websites. This is mostly a problem for the other website (which would lack proper security headers) but it could lead to Google blacklisting your website for "hosting malware". Some phone scammers leverage websites like yours that try to provide a simple, cheap service to host their fake virus warnings and such.

I'd personally recommend against allowing text content to be directly accessible with a single GET request from another source.

You've set up some protections against this (rate limiting mode) but that could be circumvented by pointing a browser at the file viewer and placing something heavy on the F5 key. I'd personally also check the origin/referrer headers for files that aren't images or video and block their direct inclusion in some way.

0 comments

1 comments · 1 top-level

Fornax964y ago

Views are unique per IP address (/48 subnet for IPv6) so continuously refreshing the page wouldn't work. I had problems like this in the past, but rate limiting mode seems to have solved it. I have had little abuse complaints in that regard the last few years.

But thanks for the suggestion, I'll look into it.

j / k navigate · click thread line to collapse