Hello everyone, We have a security question.
We are developing a finance application that helps users to handle their expenses by storing those expenses in the app and getting monthly or annually reports. The user's data are saved in the cloud. Our users would like their data to be private, mostly because of cultural reasons.
Now We want to implement a feature that users can store their expenses and can attach images of their bank receipts which will then end up in the cloud.
We have two options for attaching:
Uploading the images and serving each image via a url. We'll serve the image on a url and will return the url. Then application can show the image to users with an in-app browser. However, this method is not secure, because we can not implement an authentication strategy on the serving static file. An attacker can generate thousands of random urls and might be able to steal some of those images.
Uploading the images and providing the users with image files which they can download anytime they want. This option will implement a JWT auth strategy that everyone can download their own images.
You guys, can help me to decide which one is better for our brand to help us secure the trust of our users?
Hug the social distancing and be safe.
Top comments (0)