Any general advice on making sure a nefarious actor can't (easily) mess with our Shiny app via the upload widget?
We're building a Shiny web app hosted on shinyapps.io that will be public facing and are worried about the possibility of viruses in uploaded files or DOS attacks, given what we've read about similar upload security issues for Wordpress sites. Our app will need to accept fairly large .zip files (up to 100 MB, usually more than 10 MB).
So far we've considered a few things:
- Restrict types of uploads (unfortunately, we're looking for .zip files, which leaves lots of room for trouble)
- Use wand to check file types after unzipping ('good' zip files submitted to our site will only have csv tables)
- Requiring a form entry before upload to collect contact info, some sort of CAPTCA system, or email confirmation process.
[Note that we read the SQL injection page on the Shiny site, but it doesn't apply to this app]
Any ideas/info on:
- Things shiny or shinyapps.io is doing behind the scenes to keep our site safe, such that we shouldn't worry about this?
- Other R packages or systems out there we could use to conduct actual virus checks?
- Implementing a CAPTCHA-style system or email confirmation process through Shiny?
Many thanks in advance!