1. Upload enters
Client file arrives
Browser MIME, extension, and size are useful hints, but they are not enough to trust the file yet.
Open-source core · MIT · Node.js upload security
Secure file uploads in Node.js before storage.
Pompelmi gives Node.js teams a route-level upload boundary. It helps the route validate claimed file types, catch archive abuse, flag risky document or binary structure, and decide between accept, quarantine, or reject before bytes become durable state.
Inspect first, store later Express / Next.js / NestJS / Fastify Archive guards + optional YARA Public examples + public references
- What it is
- A route-level inspection layer for untrusted uploads in Node.js.
- Who it is for
- Teams running public, semi-trusted, document-heavy, or object-storage-backed upload routes.
- Why it matters
- The first trust decision stays inside the application path instead of after storage.
Minimal route decision
npm install pompelmiimport { scanBytes, STRICT_PUBLIC_UPLOAD } from 'pompelmi';
const report = await scanBytes(req.file.buffer, {
filename: req.file.originalname,
mimeType: req.file.mimetype,
policy: STRICT_PUBLIC_UPLOAD,
failClosed: true,
});
if (report.verdict !== 'clean') {
return rejectOrQuarantine(report);
}Start with a clean route verdict, then wire it into reject, quarantine, or promotion logic. Framework adapters stay optional.
1
Receive into memory or quarantine
Do not trust public uploads enough to write them straight into the live bucket or a normal disk path.
2
Inspect route-specific risk
Validate claimed type, archive behavior, risky PDF or Office structure, SVG content, and optional YARA rules.
3
Return a route verdict
Let the route decide between clean, suspicious, or malicious while it still knows the workflow and user context.
4
Store, quarantine, or promote
Only accepted files reach durable state. Suspicious files can wait in a review or promotion flow instead.
Mentioned in
Upload flow
Where Pompelmi sits in the request path
The project is not a generic after-the-fact malware queue. It belongs at the point where the application still knows the route policy, the expected file class, and whether a suspicious file should be rejected or quarantined.
1. Upload enters
Client file arrives
Browser MIME, extension, and size are useful hints, but they are not enough to trust the file yet.
2. Route gate
Fast pre-filters
Apply route limits for count, size, claimed type, and whether the route should fail closed.
3. Inspection engine
Pompelmi analyzes bytes
Detected type, archive boundaries, risky PDF or SVG structure, and optional YARA-style signals feed a route-aware verdict.
4A. Clean path
Store or promote
Only clean files reach object storage, previews, or downstream processors.
4B. Flagged path
Reject, quarantine, or review
Keep suspicious files out of the live bucket and UI path until the workflow is ready to trust them.
Before storage, quarantine, and promotion
For simple request-response uploads, the usual sequence is receive, inspect, then store only on `clean`.
For larger or direct-to-storage flows, the safe default is quarantine first, then promote only after the scan and policy checks pass.
That keeps risky uploads out of the live bucket, preview path, OCR pipeline, or downstream parser until the application is ready to trust them.
Good fits
- Public or semi-trusted upload endpoints that should fail closed.
- Document-heavy business apps that need review-friendly suspicious verdicts.
- Object-storage pipelines that should promote files only after inspection.
- Privacy-sensitive teams that prefer local-first scanning over cloud upload APIs.
Why route-level decisions matter
Different upload controls solve different parts of the problem
Browser hints, type validation, and antivirus all help. The missing layer is usually the application decision that turns those signals into accept, reject, quarantine, or promotion.
Browser MIME checks vs backend inspection
Helpful client hints are not the same thing as a backend trust decision.
Extension checks vs content inspection
See why file upload validation and deeper inspection belong in separate layers.
Validation vs malware scanning
Understand which problems validation solves and where scanner-style checks still matter.
Antivirus-only vs route-level upload security
Upload routes still need before-storage policy even when YARA or ClamAV exists.
Evaluation table
Browser MIME and extension hints
Useful for
Fast UX feedback before submit
Still missing
Attacker-controlled filenames and client MIME claims are not enough to decide trust.
Backend type validation
Useful for
Checking that bytes look like the route expects
Still missing
It still does not answer archive abuse, risky structure, or route-specific storage policy.
Antivirus or YARA only
Useful for
Known-malware matches and environment-specific signatures
Still missing
Routes still need type validation, archive controls, and before-storage handling.
Route-level upload security
Useful for
The first application decision before storage, preview, OCR, or promotion
Still missing
Nothing upstream. This is the orchestration layer that combines the other signals.
Browser preview
Evaluate the verdict flow without sending a file anywhere
The preview is intentionally honest. It is a local browser-only look at the UX and signal surface, not a claim that client-side inspection can replace the backend route.
What it shows
- Files stay in the browser and no upload request is sent.
- Detected type, extension, and browser-reported MIME appear side by side for quick inspection.
- The preview surfaces obvious mismatches and suspicious signals without pretending to replace server-side checks.
What real backend integration adds
- Route-specific policy packs and allowlists
- Archive traversal, expansion, entry-count, and nesting controls
- Optional YARA or other scanners plus quarantine and promotion workflows
Where to go next
Client-side preview only
This widget reads selected files locally. It never uploads them, and it does not claim to run the full backend policy path.
Sample scenarios
Run guided demo cases
Useful for a quick product walkthrough before choosing a real file.
Files stay in your browser for this preview.
Drag files here to preview a verdict
Useful tests: a normal PDF or PNG, a renamed file, or a text file containing the EICAR test string.
What makes this preview useful
- Run the sample scenarios to demonstrate clean, suspicious, and malicious verdict styles instantly.
- Try a file whose extension does not match its actual bytes.
- Try a ZIP to see where the browser preview stops and the server path begins.
Search-intent entry points
Start from the problem you searched for
The shortest path is not always “install the package.” Sometimes the right first page is the comparison, framework guide, or storage pattern that matches the route you are trying to secure.
Secure file uploads in Node.js
Start with the architecture, then branch into the framework or storage flow you actually run.
Multer file upload security
Memory-backed parsing, scan-before-storage, and clearer verdict handling for Express routes.
Next.js file upload security
App Router upload routes with clean, suspicious, and quarantine-aware decisions.
NestJS file upload security
Module, interceptor, and service patterns for business apps that accept documents.
Fastify file upload security
Early `preHandler` checks before object storage or background processing takes over.
Scan files before S3 upload
Quarantine-first storage and promotion after a clean verdict instead of trusting direct uploads.
Antivirus-only vs route-level upload security
See where signature scanning helps and where the application still needs a real upload boundary.
SVG upload security
Treat SVG as active content, not just another image extension on a generic upload route.
Choose your path
Start from your framework or workflow
Pompelmi is easiest to evaluate when you start with the actual route stack or storage boundary you already run instead of a generic sample that does not match production.
Express
Multer with a memory-backed route guard and verdict-aware handler flow.
Next.js
Node runtime App Router routes with inspect-first-store-later handling.
NestJS
Module and interceptor patterns for document-heavy apps and internal systems.
Fastify
Early blocking in `preHandler` before persistence or downstream jobs.
Koa
Middleware-oriented upload inspection for lightweight Node.js stacks.
Nuxt/Nitro
Nitro handlers that keep the first upload decision inside the app path.
Public endpoints
Safer defaults for unauthenticated or lightly trusted uploads.
Object storage promotion
Quarantine, review, and promotion flows around S3-style storage.
Use cases
Choose the deployment pattern, not a fake one-size-fits-all upload policy
Public avatar uploads, PDF intake portals, ZIP imports, and direct-to-storage promotion flows should not all share the same rules. The use-case pages map risk to route design.
Public upload endpoints
Tighter defaults when uploads come from unknown or lightly trusted users.
Document-heavy business apps
PDF, Office, and mixed document routes that need quarantine or review options.
Image upload routes
Separate raster images from SVG and keep active content out of generic avatar flows.
Archive uploads
Archive-specific limits for depth, expansion, traversal, and entry counts.
Quarantine and review
Review queues and inspect-first-store-later handling for suspicious files.
Promotion workflows
Delay object publication until a clean verdict or reviewer approval exists.
Trust and proof
Public references and a public integration surface
The proof is intentionally verifiable: public code, public docs, public examples, and public references that evaluators can inspect quickly.
Open-source core
MIT-licensed repository, public docs, and examples that teams can audit before adopting the upload path.
Inspect GitHub
Framework adapters
Express, Next.js, NestJS, Fastify, Koa, Nuxt/Nitro, and storage-oriented flows are documented publicly.
Browse the docs
Runnable examples
Use the demo routes and examples directory to see the request path, verdict handling, and storage decisions.
View examples
Public references
Stack Overflow · 2026-02-23
Defense against uploads: Q&A with OSS file scanner, pompelmi
Interview with Tommaso Bertocchi by Ryan Donovan.
Help Net Security · 2026-02-02
Pompelmi: Open-source secure file upload scanning for Node.js
Dedicated coverage of the project and its Node.js adapters.
Help Net Security · 2026-02-26
Hottest cybersecurity open-source tools of the month: February 2026
Included in Help Net Security's monthly open-source roundup.
FAQ
Questions evaluators usually ask before they wire the route
What is Pompelmi in the upload flow?
Pompelmi is the application-layer upload boundary for Node.js routes. It inspects untrusted files before disk, object storage, or downstream processors see them.
Is Pompelmi an antivirus replacement?
No. It covers route-level upload validation and structural checks. Teams can also combine it with YARA, ClamAV, quarantine, and review flows when they need deeper detection.
Can Pompelmi work with Multer, Next.js, NestJS, and Fastify?
Yes. The public docs include framework-specific integration guides for Express, Next.js, NestJS, Fastify, Koa, and Nuxt/Nitro.
Does the browser preview upload my files?
No. The preview reads selected files locally in the browser to demonstrate the verdict UX. Real upload security decisions still belong on the backend route.
Ship with context intact
Make the first upload decision while the route still knows what the file is for.
That means cleaner storage boundaries, better observability, and less guesswork when the route needs to reject, quarantine, or promote an upload.