The issue is more related to the R2 itself, but perhaps someone has advice on how to validate the file type in a secure environment?
Passing ContentType in PutObjectCommand doesn't work.
Currently, anyone from the client side can send a malware file with any header, and it will be correctly uploaded via presigned url.
At the moment, presigned URLs don't support POST methods, and R2 doesn't have Bucket Policies.
The issue is more related to the R2 itself, but perhaps someone has advice on how to validate the file type in a secure environment?
Passing
ContentTypeinPutObjectCommanddoesn't work.Currently, anyone from the client side can send a malware file with any header, and it will be correctly uploaded via presigned url.
At the moment, presigned URLs don't support POST methods, and R2 doesn't have Bucket Policies.