Skip to main content
📁

File Uploads Checklist for AI-Built Apps

Let users upload and store files

When you vibe code file uploads with tools like Cursor, Lovable, Bolt, v0, or Claude Code, the generated code often works in development but misses critical production requirements. This checklist helps you catch what AI missed before you ship.

Danger Zone

high risk

A file upload without limits is an invitation to crash your app or drain your bank account

File uploads look straightforward — a button, a progress bar, done. But behind that button is a whole minefield: what happens when someone uploads a 5GB file, or 10,000 tiny files, or a file named '../../../etc/passwd', or an image that's actually malware disguised with a fake extension. Then there's making sure files actually get to your storage without corrupting, handling failed uploads that need to resume, and avoiding a surprise $10,000 storage bill because someone uploaded their entire photo library.

Failure scenario

You launch your app with a profile picture uploader. Three months in, someone uploads a 200MB file. Your server tries to hold the entire thing in memory while processing it, crashes, and takes down your whole app for 20 minutes. Then your hosting provider sends you a bill for 50GB of bandwidth because that one file has been requested 500 times. Then you discover anyone can directly access any uploaded file by guessing the URL — including files other users thought were private.

Common mistakes

  • No file size limits — someone uploads 2GB and crashes your server
  • Files saved with their original filename, letting attackers upload malicious paths like '../../system-file'
  • Uploaded files accessible to anyone who guesses the URL (no access control)
  • Processing files in memory instead of streaming, causing crashes on large files
  • No virus scanning — someone uploads malware that infects other users
  • Image files served at full resolution instead of resized, wasting bandwidth and money

Time to break: 2-6 months before abuse or a single large file causes a real problem

How are you building this?

Showing what to check when using a managed service

Audit Prompts

Copy these into your AI coding assistant to check your implementation.

Are uploads protected from abuse?
security
Look at our file upload setup. Check these limits: Is there a maximum file size per upload? Is there a limit on total storage per user? Is there a limit on how many files can be uploaded per minute? Are allowed file types restricted (e.g., only images, not executables)? Does the upload service have virus scanning enabled?

Without limits, one person can intentionally or accidentally fill your entire storage quota or crash your server by uploading huge files.

Can people access files they shouldn't?
security
Check file access permissions. If someone knows the URL of a file uploaded by another user, can they access it? Are files supposed to be private actually private? When someone deletes a file in your app, does it actually get deleted from storage? Are temporary files cleaned up automatically?

The most common upload mistake is storing everything in a public folder where any URL can be guessed. Private documents become public by accident.

Will your upload costs spiral out of control?
cost
Check your upload service's pricing and current usage. Are images being automatically resized for different screen sizes (not serving 5MB originals)? Are you paying for bandwidth every time a file is accessed? Is there a cap or alert before costs exceed your budget? Are old/unused files being archived or deleted?

Storage and bandwidth costs can sneak up fast. Serving original 10MB images instead of 200KB thumbnails can multiply your bills by 50x.

What happens when an upload fails?
reliability
Test what happens when uploads fail partway through. Can large uploads resume from where they left off? If someone's connection drops during upload, do they have to start over? Does the UI show clear error messages? Are failed uploads cleaned up so they don't waste storage?

Forcing users to restart a 100MB upload from scratch is how you lose customers. Resumable uploads are critical for anything over a few megabytes.

Checklist

0/10 completed

Smart Move

Use a service

File uploads seem simple but are full of security and cost traps. Services handle virus scanning, resumable uploads, image optimization, and CDN delivery automatically. The free tiers are generous, and the time saved avoiding storage bugs is worth it.

UploadThing

Modern upload service built for Next.js — handles files, images, and videos with built-in optimization

2GB storage and 2GB bandwidth per month free

Uploadcare

Automatic image optimization, transformations, and CDN delivery — great for apps with lots of images

3,000 uploads and 3GB storage free per month

Cloudinary

Powerful image and video processing — resize, crop, optimize, and transform on the fly

25GB storage and 25GB bandwidth per month free

Tradeoffs

You're locked into their pricing as you scale, and switching providers means migrating all your files. But the security, automatic optimization, and virus scanning you get in return are worth it unless you have very specific needs.

Did you know?

The average cost of a data breach involving file uploads is $4.45 million, and 43% of breaches involve uploading malicious files that weren't properly validated.

Source: IBM Cost of a Data Breach Report 2023

Related Checks

🔐Authentication

Sign up, log in, password reset, 2FA

🩺Monitoring

Error tracking and observability

🔍Search

Find content across your app