Looking for a way to hide the source of downloadable files

Question

I'm building an internal site with the main function of serving up software downloads. One thing I want to guard against though, is people finding the source paths and circumventing the site (the site logs the download for auditing.)

Is there a way to conceal the source of the binaries? (I'm using ASP.NET)

Answer 1

You could create an HttpHandler that handled all file requests and returned the files based on some kind of unique id. So if someone requests /files.ashx?id=24, they get the file, but the don't know where it's actually located on the server.

Additionally, you could use url rewriting so it looks to the user like they're accessing a physical file path: /downloads/dog.img, but it's actually getting passed to the the handler: files.ashx?id=dog.img. That way the user wouldn't even realize that a handler was being used in the background.

Answer 2

Have your ASP page read the file and write it in a page, serving up the binary data. Link to that page for the download. That way they never know the location of the file on disk.

Like this: http://www.dotnetcurry.com/ShowArticle.aspx?ID=105&AspxAutoDetectCookieSupport=1 but in your ASP over the HTTP stream.

This example shows writing binary over the HTTP stream just use a file as your input source instead of a database.

https://web.archive.org/web/20210510024814/http://aspnet.4guysfromrolla.com/articles/120606-1.aspx

Answer 3

The best way to do this is to place the files in a directory that is inaccessible from the web, and then load the files dynamically.

This article may help.

Answer 4

If you really want to do that then you could do something like

1. Generate random guid-like directory names
2. Copy whatever file into it
3. Serve the link
4. Delete it after a few minutes.