My Django site allows customers upload images. It's running on Apache.

Files are submitted using a FileUpload form. The folder that files are submitted is outdoors the Django project, and guarded as described here, i.e. the folder has 755 permissions and files have 644 permissions.

I would now like to serve the pictures as much as customers - but I have to get it done safely, to ensure that executable scripts don't run, and to ensure that customers can't e.g. remove all of the images within the directory.

My real question is, how do you serve the submitted images to customers inside a secure way? Can One serve them securely as static media from that folder, with individuals permissions? Or must i copy them into another directory with various permissions, and serve them after that?

I am serving another static media (/media/css) on the website like a separate, static application.


The best way to do that would be to configure your internet server for everyone files using the names it needs, with a proper image content-type. Use Django's ImageField for many degree of validation by PIL/Pillow that submitted files are images. With this directory, disable webserver features like autogenerating directory indexes, autoserving from the filesystem, speculating at mime types, and running cgi scripts.