cd /news/cybersecurity/building-an-e2ee-chat-app-in-flask-p… · home topics cybersecurity article
[ARTICLE · art-10576] src=dev.to ↗ pub= topic=cybersecurity verified=true sentiment=· neutral

Building an E2EE Chat App in Flask - Part 3: Keeping File Uploads Safe

This article explains how to secure file uploads in a Flask-based chat app by implementing three key measures: restricting allowed file types to only images and videos (png, jpg, jpeg, gif, mp4, mov), sanitizing filenames using Werkzeug's `secure_filename` function to prevent path traversal attacks, and categorizing files by type for organized storage. The author emphasizes that developers should never trust user input and must actively check every file to prevent malware, oversized uploads, or system exploits.

read3 min views13 publishedMay 23, 2026

Okay hi, so imagine you have a mailbox at your house. Anyone can put things in it, am I right or am I right? What if someone puts a bomb in there? Or trash? You need to check what goes in before it causes problems.

That's what file uploads are like. Users can upload anything. We need to stop the bad stuff.

The Problem: Bad Files #

When I first built my chat app, I didn't think about what users could upload. They could upload:

  • Files with viruses hidden inside
  • Really huge files that break the app
  • Weird file types that cause problems
  • Files with tricky names designed to hack the system

It's like leaving your house door open and hoping bad people don't come in. Spoiler: they will.

My Solution: Check Everything #

I learned to be a security guard for my app. Here's what I do:

1. Only Accept Certain File Types

First, I made a python Set of file types I actually want:

ALLOWED_EXTENSIONS = {'png', 'jpg', 'jpeg', 'gif', 'mp4', 'mov'}

I only allow images (png, jpg, gif) and videos (mp4, mov). That's it. No .exe files. No .zip files. Nothing unsafe.

Then I check every file:

def allowed_file(filename):
    return '.' in filename and filename.rsplit('.', 1)[1].lower() in ALLOWED_EXTENSIONS

All that code just says: "Does the file have a dot? Is it one of our allowed types? If yes, cool. If no, reject it."

2. Clean Up Bad Filenames

Here's something sneaky: attackers might upload a file named something like "../../../admin.php" to try to escape the upload folder and hack the system.

So I use a function that removes all the dangerous stuff:

from werkzeug.utils import secure_filename

filename = secure_filename(file.filename)

If someone uploads "../../admin.php", this function turns it into "admin.php" (harmless).

If someone uploads "file (1) [2023].jpg", it cleans it up too.

3. Organize Files by Type

After the file is safe, I check what type it is:

def get_file_type(filename):
    ext = filename.rsplit('.', 1)[1].lower()
    if ext in {'mp4', 'mov'}:
        return 'video'
    elif ext in {'png', 'jpg', 'jpeg', 'gif'}:
        return 'image'
    return 'file'

So if someone uploads a video, I store it in the videos folder. Images go in the images folder. Everything stays organized and safe.

Why This Actually Works #

Think about it like airport security:

Whitelist= Only let through what's allowed (like a passenger list) - Clean names= Remove anything suspicious (like checking luggage) - Organize= Put things in the right place (like baggage claim)

If you don't do these checks, bad stuff gets through.

What Actually Happened #

I built this without thinking about security. Then I realized: what if someone uploads a virus? What if they upload a 1GB file? What if they try to hack the system with a weird filename?

So I added these checks. Now my app is safer.

The Real Lesson #

Never, ever trust what users do. Always assume someone is trying to break your app. Check everything.

What's Next #

Part 4 is about real-time messaging. How do messages update instantly without refreshing? WebSockets.

Let me know what you think!

── more in #cybersecurity 4 stories · sorted by recency
── more on @flask 3 stories trending now
sponsored brought to you by zahid.host 4,200+ EU-deployed projects
reading about agents? ship yours in a single git push.

Run your AI side-project on zahid.host

EU-based hosting, git-push deploys, automatic HTTPS, no cold starts. Free tier with a custom domain — perfect for shipping the agent you just read about.

$git push zahid main
Live at https://your-agent.zahid.host
Get free account → Pricing
from €0/mo · no card required
LIVE [news/building-an-e2ee-cha…] indexed:0 read:3min 2026-05-23 ·