The latest articles on DEV Community by Rudra Bhairav (@rudra_bhairav_634c3d5d52b). https://dev.to/rudra_bhairav_634c3d5d52b https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3890261%2F7f8b7e64-f17d-41ef-9ae7-d8ae70086238.png https://dev.to/rudra_bhairav_634c3d5d52b en Rudra Bhairav Tue, 21 Apr 2026 06:56:51 +0000 https://dev.to/rudra_bhairav_634c3d5d52b/how-i-built-a-secure-file-transfer-app-with-django-clamav-and-cloudflare-r2-3non https://dev.to/rudra_bhairav_634c3d5d52b/how-i-built-a-secure-file-transfer-app-with-django-clamav-and-cloudflare-r2-3non <p>I recently launched TransferSecure, a file transfer platform built for sending large files to clients and collaborators without forcing them to create an account. Here is a breakdown of how it works under the hood.</p> <p>The Stack<br> Backend: Django 6 + Django REST Framework<br> File Storage: Cloudflare R2 (S3-compatible) via boto3<br> Virus Scanning: ClamAV via pyclamd<br> Task Queue: Celery + Redis<br> Database: PostgreSQL<br> Frontend: Django templates + Bootstrap 5 + vanilla JS</p> <p>The Upload Flow<br> The browser never uploads files through Django. Instead:<br> The frontend requests presigned upload URLs from the backend<br> Files are uploaded directly from the browser to Cloudflare R2 using those URLs<br> Once all parts are uploaded, the frontend calls a confirm endpoint<br> Django sets the transfer status to scanning and triggers a Celery task<br> The Celery worker streams each file from R2 directly into ClamAV without writing to disk<br> Once scanning is complete, the transfer becomes active and recipients are emailed<br> This keeps Django out of the upload path entirely, which means no memory pressure on the server regardless of file size.</p> <p>Virus Scanning<br> ClamAV scans files up to 200 MB by streaming them directly from R2 into the ClamAV daemon via pyclamd. Files larger than 200 MB are accepted but bypass active scanning due to stream length constraints — this is disclosed in the terms of service.<br> If a virus is detected, the file is deleted from R2 immediately, storage quota is refunded, and the infected file is excluded from the transfer. If all files in a transfer are infected, the transfer is marked deleted and recipients are never notified.</p> <p>Anonymous Sending<br> Registered accounts are not required to send files. Anonymous senders verify their email via a 6-digit OTP before uploading. This gives just enough identity verification to prevent abuse without forcing sign-ups.</p> <p>Multipart Uploads<br> Files above 100 MB use S3 multipart upload. The frontend splits the file into 10 MB chunks, uploads each part with a presigned URL, and calls a complete-part endpoint for each chunk. The backend tracks part completion and finalizes the multipart upload once all parts are confirmed.</p> <p>What I Learned<br> Streaming files from R2 into ClamAV without touching disk works well in practice but requires careful handling of ClamAV's StreamMaxLength limit<br> Presigned URLs for direct browser-to-R2 uploads eliminate a whole class of server memory and timeout problems<br> Celery's retry mechanism is essential for ClamAV — if the daemon is temporarily unavailable, the task retries with backoff instead of silently failing<br> Live at: <a href="https://transfersecure.ai" rel="noopener noreferrer">transfersecure.ai</a></p> <p>Happy to answer questions about any part of the implementation.</p> webdev productivity python security