You could put a quota on the user that nsd is running as, at least on the temporary directory. That will then help you if you do anything to expand user-uploaded files. It is fairly easy to construct a Zip file that expands to something huge but lie in the manifest so anything like 'unzip -l' will lie. To defend against a malicious attack you ought not to believe the Content-Length header (as was suggested in the other thread). It won't hurt, I guess, but it won't stop someone who's rolling their own headers.