Server side security

As part of an open source Android project, I have a very simple web server running cherrypy on top of Amazon EC2. We're thinking of integrating a photo taking component into the application. This data will be stored on the server and served out to other clients.

At this point, the application is anonymous -- no logins required to post information. Am I likely to find myself constantly taking down pictures because the application is getting trolled? Or can I rely upon a flagging mechanism to handle this kind of situation? I have never implemented anything like this, and I don't know what to expect.

I would like to hear from anyone that has built such a service, and has some idea of what it entails to open a service like this to the开发者_StackOverflow社区 public.

---

If you expose an endpoint the internet that allows uploading and sharing of images without authentication, you are probably going to run into issues. In fact, even if you require authentication, you will probably run into issues.

I would definitely require some form of authentication, at least at the application level. If you really don't want the user to have to deal with it, you could generate a GUID or something to at least identify the images that have been uploaded. That's easy to defeat from an attackers standpoint, but it would give you something to use to delete a single 'users' uploads if they are deemed a spam user.

You could also implement some rate limiting to not allow a user to upload lots of images in a short period of time. You can also limit the number of times an image has been viewed.

Basically, think like a spammer / attacker. Can they use you service to upload images that could be used in a spam campaign? Could they use it to spam your users? If the answer is yes, then you need protections for that.