Multipart uploads to S3 from the browser: CORS, ETag in Expose-Headers, and completing parts

Generate presigned URLs server-side with tight expiry; never trust client-provided bucket names.

ListParts responses also need consistent CORS if you resume uploads from the browser.

Block public ACLs on buckets used for user content; CORS open buckets are a data exfiltration risk.

Scan uploads asynchronously—do not block CORS preflight on malware scanning.