How to Scan File Uploads in Express

Many Express apps let users upload files. That usually starts as a product feature: profile pictures resumes PDFs invoices ZIP archives documents sent to internal workflows But an upload endpoint is also part of your attack surface. A file can look harmless from its extension alone and still be risky once your app stores it, serves it, unzips it, or sends it to another system. In this tutorial, we’ll build a simple Express upload route that scans files before storage using: Express for the API Multer for multipart/form-data Pompelmi for file inspection By the end, you’ll have a route that: accepts a file upload inspects the uploaded bytes blocks suspicious or malicious files only saves files that pass your policy Why file uploads need scanning A lot of upload pipelines still trust checks that are too shallow, such as: the filename extension the client-provided MIME type a simple allowlist like .pdf , .jpg , .zip That is not enough. A safer pattern is: receive the file inspect it immedi