Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.
Hi
We need to allow users, to upload personal documents such as ID, CV etc in common format (.jpg, .png, .pdf) and the developer has made the routing to /public/app_assets/img.
Anyone with the link can access any file uploads.
What would be the best practice to secure it. We are working on Laravel version 7.14
Thank you
If you check Google Photos few years back, not sure if anything changed there, they did it the same way. Publicly accessible files but names were random strings. Studies were carried out and it turned out that someone can successfully generate an URL was very unlikely, maybe even impossible.
So if you are using long random strings for file names you should be OK.
thanks
@coding_field if you like my answer then click on best anwser
@coding_field Sensitive files should not be publicly-accessible by filename.
Instead, upload the files to a secure location. Then use some form of URL signing to actually access the files. You can do this is if you use Amazon S3 or CloudFront to serve files.
Your application should only generate signed URLs for files that the currently-authenticated user has access to, i.e. they should not be able to generate a URL to view another user’s ID document.
If you’re dealing with sensitive documents like government-issued IDs then I’d be inclined to encrypt them at rest as well. For example, if your S3 bucket is misconfigured, you then don’t want bad actors to be able to download your bucket’s contents and have access to every ID document uploaded by your application. I’d also imagine a lot of countries will have laws around how sensitive information like IDs are stored and will probably mandate that they are encrypted in storage.
--
@vandan Don’t beg people to award you best answers.
@martinbean sorry sir i dont meant it
@martinbean Thank you for your reply and valuable suggestions. For signed urls I will read the official laraval guide https://laravel.com/docs/7.x/urls to get better ideas.
Any ideas where is a good starting point about file encryption in php. I know this is an old topic and I have seen the this link https://laravel.com/docs/7.x/encryption but just wonder if there is more of practical example to work with or tutorial to learn from. I know there is an issue also if the encryption keys are compromised or incorrectly sorted in the server then it can cause lots of problems.
Please or to participate in this conversation.