Hacker News new | past | comments | ask | show | jobs | submit login

File type and size limits are specified in the JavaScript API, no? Is there any way to enforce it server-side, so people can't abuse it?



We enforce both the filetype and size limits on the server side.

We have some hostname verification and we also also adding in secret keys to sign requests so we can be even more sure.

We also have some checks that look for abnormal upload patterns that have found a couple oddities and will get better with time.


But where can I specify filetype and size limits in my control panel? There's nothing stopping abusers from changing those parameters on the client.


That's a good idea. We had been working under the assumption that you would want to change limits often, but I can see how a per-apikey cap would prevent gross abuse.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: