🛠️ Engine RoomFebruary 22, 20264 min read

Attachment Safety: Magic Bytes Validation & Zero-Knowledge Viewer

Block chameleon files at upload, preview encrypted documents in-browser without ever touching disk.

By TradeStance Engineering

securityfile-validationzero-knowledgeCSP

The Problem

Attackers rename malicious executables to look like harmless documents. A file called invoice.pdf might actually contain a Windows executable (MZ header). Trusting file extensions or MIME types alone is insufficient.

The Solution

Our upload pipeline now inspects the first 8 bytes of every file (the "magic bytes" or file signature) to determine the true file type. This catches chameleon files regardless of their extension or declared MIME type.

What’s blocked:

Windows executables (MZ header — .exe, .dll, .sys)
Linux binaries (ELF header), macOS executables (Mach-O header)
Java class files (CAFEBABE), shell scripts (#! shebang)
Archive containers (ZIP/RAR — potential macro payloads)
Any file whose magic bytes don’t match the claimed MIME type

For viewing encrypted documents, the new SecureFilePreview component decrypts files entirely in the browser using openpgp.js and Argon2id. Images render via createObjectURL (memory-only, no disk write), PDFs display in a sandboxed iframe, and all object URLs are revoked on modal close. Content-Security-Policy headers prevent any decrypted content from executing scripts.

The Benefit

Even if a user accidentally uploads a disguised executable, it’s blocked before it reaches storage. And when viewing encrypted documents, the plaintext never leaves browser memory — it cannot be intercepted, cached, or accidentally saved.

Was this update useful?

#security#file-validation#zero-knowledge#CSP

Secure Vault: Zero-Knowledge Document Storage with E2EEPrevious Universal Secure Document Viewer: PDF, DOCX, XLSX Preview with Safe ModeNext