From Big Bug:

1. Strip Extensions: Store files without extensions; save original names and extensions in the database.     This would allow limitless file extension while remaining secure currently we store them on the filesystem as SHA256.ext so we should store them as SHA256 only

2. Unique Filenames: Use unique IDs to avoid collisions. (I think that's a thing already, no?) This is already done use sha256

3. Controlled Downloads: Re-append extensions during download and force file downloads using headers.

4. Restrict Access: Block direct access to storage directories in web server configs.

5. Set Permissions: Use chmod 644 and remove execute permissions.

6. Disable Directory Listing: Use Options -Indexes (Apache) or autoindex off; (Nginx).

7. Validate Uploads: Check MIME types to prevent malicious files.

This method prevents accidental execution and unauthorized access.