| Pitfall | Consequence | Fix |
|---------|-------------|-----|
| Trusting Content-Type header | Malware uploaded as image/jpeg | Validate magic bytes |
| Storing files with original name | Overwrite, path traversal, XSS | Generate random name |
| No antivirus scanning | Server becomes malware distribution point | Mandatory scanning before storage |
| Allowing symlinks | Unauthorized file access | Disable symlinks on upload directory |
| Synchronous processing | Timeout for large files (>30 sec) | Use async queue |
| No file size limit at proxy level | Memory exhaustion | Configure client_max_body_size in Nginx |
The server's job is to receive the binary stream, validate it, and save it. Because Node.js is single-threaded, we use middleware to handle multipart/form-data. The industry standard is Multer. upload file
<form action="/upload" method="POST" enctype="multipart/form-data">
<input type="file" name="file" id="fileInput" accept=".pdf,.jpg,.png" required>
<button type="submit">Upload</button>
</form>
| Error Scenario | User Message | |----------------|---------------| | File too large | “Maximum file size is 5MB.” | | Wrong file type | “Only PDF, JPG, PNG files are allowed.” | | Network failure | “Upload failed. Please try again.” | | Server timeout | “Server took too long. Check your file size.” | Example metadata table schema (fields)
Example metadata table schema (fields)