I think for my use case going with s3 will be easier and better for security. So how do I actually do it? Let users directly upload to s3 and have a lambda function call my server to store the url? If the image file is maliciously crafted, how does using s3 help, especially when serving the content? How can I set the headers when serving images from s3? And is there a way to identify that a specific user uploaded this file, so that I can have rate limiting? Is it possible to generate a signature or something to identify a user that I can decode server side to say "ok, this user uploaded the file and he is who he says he is". Maybe sign using the cookie that django sets for each user?
There is a few options, such as using AWS Cognito, or signed requests. I personally use signed requests which allows you to specify where and what type of files are allowed to be uploaded. First the user asks my server for a policy and signature, then uploads directly to S3, then sends another request to my server when done. My server will then verify and process uploaded files.
Likewise requests can also be signed so you can implement rate limiting on you side, and just allow S3 to serve the payload. Or you can do thing like use Cloudfront to server the objects which can use various methods of authentication such as signed cookies, or Lambda functions.
Use the the aws sdk to generate credentials on your server, pass the returned creds to your frontend. The request to generate the credentials allows you to lock down the size and type of file. They can go directly into a form or used in javascript. Lot of github libs and stack overflows that go into more detail. https://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-UsingH...
I think for my use case going with s3 will be easier and better for security. So how do I actually do it? Let users directly upload to s3 and have a lambda function call my server to store the url? If the image file is maliciously crafted, how does using s3 help, especially when serving the content? How can I set the headers when serving images from s3? And is there a way to identify that a specific user uploaded this file, so that I can have rate limiting? Is it possible to generate a signature or something to identify a user that I can decode server side to say "ok, this user uploaded the file and he is who he says he is". Maybe sign using the cookie that django sets for each user?