Home
Services
Pricing
About
Blog
Roadmap
Get Started →
Back to Blog
Security4 min read31 December 2025

Secure File Uploads: How a Small Detail Protects Your Business Data

A seemingly minor detail in how file uploads are handled can be the difference between a secure system and a major breach. Here's the vulnerability that almost wasn't, and how we fixed it.

Every day, businesses handle countless file uploads. Images, documents, reports, CSV exports. It's such a routine part of modern operations that nobody thinks about what could go wrong.

Until something goes wrong.

Recently, our automated security scanner (we call it Sentinel) flagged a high-severity vulnerability in a file upload process. The discovery is a reminder of why security vigilance isn't optional when you're building custom software.

The Vulnerability: A Tale of Two Extensions

The issue was subtle. The system determined a file's type by trusting the filename provided by the user (e.g., invoice.pdf) more than the file's actual content.

This created a loophole. An attacker could upload a malicious script (exploit.php) but disguise it as an image by setting the Content-Type header to image/png. The system, prioritising the filename over the content type, would save the file with the dangerous .php extension.

If anyone then accessed that file via a URL, the server would execute it. Game over.

The Fix: Trust Content, Not Labels

The solution reversed the logic and enforced a simple rule: the file's verified content type dictates its extension. Always.

Now, when a file claims to be an image/png, we save it with a .png extension regardless of what the original filename was. A malicious script saved as an image file is inert. It can't execute. It just sits there, harmless, probably very annoyed.

This is defence in depth: multiple layers of protection so that one failure doesn't compromise everything.

Why This Matters for Your Business

This isn't just a technical fix for developers to worry about. It's a direct enhancement to your business's security posture.

Data integrity — Malicious files can't enter your system and corrupt your operational data.

System stability — The server can't be compromised by executable scripts masquerading as innocent documents.

Customer trust — When clients ask "is our data secure?", you can say yes and mean it.

The Boring Truth About Security

The vulnerabilities that actually get exploited are rarely the clever ones from hacker movies. They're mundane oversights. A file extension check that trusted the wrong source. A database query that didn't sanitise input. An S3 bucket with public access that nobody remembered was public.

Good security is boring security. It's checking the obvious things. It's automated scanning. It's fixing problems before anyone outside your team knows they existed.

That's the standard we hold ourselves to.

Have questions about your current software's security? Get in touch for a confidential discussion about our security audit and custom software solutions.

Have a project in mind?

Let's discuss how we can help build your next solution.

Get in Touch