Glad you asked. This is a tricky subject, and few application developers are aware of the security risks.

I’ll give you a summary of the approaches you should take, and some reading to learn more. Make sure you read the additional reading, because my summary is incomplete.

Summary:

1. Host the user-uploaded content on a separate domain. This is the most important and reliable defense you can take.

2. Check the MIME type of the uploaded file, when it is uploaded, to make sure it is on a whitelist of safe MIME types. Generate a new random filename to save it under. In the case of some file types, such as images, Consider re-coding it (e.g., transform to PNG, or use ImageMagick to convert it from its filetype to the same filetype), as this may defeat some attacks.

3. When the file is downloaded/retrieved, make sure to set the Content-Type: header explicitly to the safe MIME type. Also set a X-Content-Type-Options: nosniff header. If you don’t intend for the file to be viewed in the browser, send a Content-Disposition: attachment header, too, to make the browser treat it as a file download.

4. Scan file uploads for viruses or malware.

Reading:

• What steps should be taken to validate user uploaded images within an application?

• MIME sniffing protection

• Is it safe to store and replay user-provided mime types?

• Is it safe to serve any user uploaded file under only white-listed MIME content types?