I want to allow users to upload all sorts of files and avoid the security risks. For example, I currently do not allow HTML file upload to avoid any risks of users uploading HTML files with malicious javascript code.
I am wondering if using X-Sendfile to serve user uploaded files from a storage directory placed OUTSIDE of the apache document root would allow me to let users upload HTML files and other possibly malicious content without the risks involved.
I mean, if the storage directory is outside of the document root folder, thus uploaded files cannot be served directly by the web server, does this mean it would be more secure to allow a broader range of file types to be uploaded?
