Hi there,
My Django site lets users upload images. It's running on Apache.
Files are uploaded via a FileUpload form. The folder to which files are uploaded is outside the Django project, and protected as described here, i.e. the folder has 755 permissions and files have 644 permissions.
I now want to serve the images up to users - but I need to do it securely, so that executable scripts don't run, and so that users can't e.g. delete all the images in the directory.
My question is, how do I serve the uploaded images to users in a secure way? Can I serve them safely as static media directly from that folder, with those permissions? Or should I copy them into another directory with different permissions, and serve them from there?
I'm serving the other static media (/media/css) on the site as a separate, static application.
Thanks!