The legal concern is if people upload illegal content, or content that violates copyright. I read that section 230 of the Communications Decency Act is supposed to protect website owners if their users upload illegal content. However, I also read that with the controversy over social media and politics, politicians are calling for websites to be classified as "publishers," and hence be held responsible. Might the law change in the future?
I certainly do not have the time and resources to moderate anything, and if people upload illegal content, I do not want the hassle of getting involved with law enforcement. And I certainly don't want to be the one punished.
The technical concern is that by allowing file uploads, I am opening up a significant attack vector. I found out that I would have to check and validate the MIME types of the files (not just check the extension or the Content-Type parameter!). In addition, I read that a file can be a valid image file yet still contain JavaScript, and I would have to make sure that the files are served to the browser with the correct MIME type or else risk XSS. And there are even more attack vectors, such as timing attacks to guess passwords, or denial of service, and possibilities that I don't even know of. Even when I know of the basics, such as sanitizing input before making SQL queries (or using an ORM library), or hashing and salting passwords with an appropriate algorithm such as BCrypt, there's so many things that I could overlook.
When I first had the idea for the website, I thought that it would be simple enough to implement. However, after doing my research, I now realize just how dangerous it is to expose a computer to the Internet, and just how many ways there are for bad actors to ruin things.
People who have developed and deployed websites with user-submitted content, how do you manage all the security and legal aspects? Would a high schooler / soon-to-be college student have the appropriate time to manage everything on top of studying? Would you trust a server written by someone inexperienced with backend development?