A file upload form lets people attach files - a CV, a screenshot, a signed document, a design asset - alongside the other fields. It turns a form into both an attack surface and a storage problem, which is why most teams should not build the upload handling themselves.
Doing it safely means several things at once: validate the file type against an allow-list and cap the size before accepting anything, scan every upload for malware, store files outside any web root, and serve them back only to authorised people through expiring, access-controlled links. A form that accepts attachments and forwards them unscanned is effectively a malware delivery service.
A hosted form backend handles all of this: uploads are scanned on receipt, stored in encrypted storage, and exposed only through signed download links in your inbox - your own site never touches storage credentials. The forms guide covers file uploads done right, and the file upload form use case walks through a setup.
Related terms
Form backend
A hosted service that receives, processes, and stores HTML form submissions so your website does not need its own server-side code.
GDPR-compliant form
A form whose data collection, storage, retention, and deletion meet the requirements of the EU General Data Protection Regulation.
Spam filtering
The layered techniques a form backend uses to keep automated and unwanted submissions out of your inbox without blocking real people.
Read the full guide