Deny direct url access to files

Question

Does anyone have any suggestions on how to only allow files to be downloaded from pages on my site and deny access if someone types or pastes the direct URL into a browser?

Answer 1

It depends on your web server. With Apache, you can use mod_rewrite rules to block any download attempt where the HTTP_REFERER isn't from your own site. (I imagine something similar exists for IIS.)

Modifying the "Blocked Inline-Images" example, you end up with something like this:

RewriteCond %{HTTP_REFERER} !^http://YOUR_SITE_HERE/ALLOWED_PATH/.*$ [NC]
RewriteRule .*\.PROTECTED_FILE_SPEC$  [F]

There's a caveat here, and it's an important one. Not all browsers send the HTTP_REFERER header. So not only will this block downloads that didn't come from your home page, it will also block downloads from your site when the browser doesn't send an HTTP_REFERER.

(Note that the original version of those rules will allow downloads when the browser doesn't support HTTP_REFERER. I modified it based on the requirement of not allowing downloads when the URL is pasted directly into the browser.)

Answer 2

Not sure what language you're using, but in .NET, you can add them to the App_Data folder, which is not browsable, and write a custom handler (.ashx) file to retrieve the files. This adds a level of security where your handler can do some rule checking before serving the file to the client.

Answer 3

Instead of making direct link to your files, link to a php/asp/python/whatever script that first checks the referrer. If the referrer is in your domain, redirect to the actual file.