Question posted in
Some documentation to get you started can be found here.

How do I disallow download file through direct url access? – Apache

I am currently working on a project that allows user to update and patch their application when updates are available. I am using Apache as web server and put my patch files in the webroot. The application download the patch files through https (I am using a patching system bought from unity assets stores. It supports http, https and ftp. It is done in c#). I have disable directory listing for better security, however I still able to download specific files through browser if I specify the path. For example:
https://example.com/patch/test.txt

Is there any way I can restrict user from downloading the files directly through url? Is there any better approach that I can improve the security?

Thank you.

Tags:

2

Answers


  1. 0

    You can allow only specific ips:

    <Location />
        Order Deny,Allow
        Deny from all
        Allow from 192.168.
</Location>

    If the application is installed on the same pc as the browser, then you are out of luck. You might be able to do some magic with user agents, but that is hackable by pretty much anyone with postman.

    This is why we prefer to store these in databases, file servers or blob storage, so that we can also secure them.

    Login or Signup to reply.
  2. 0

    To prevent file download when:

    • User copy & paste URL directly into browser and hit enter
    • User clicking direct link
      from some other website

    You may consider the following options:

    • Your Update Client set Custom HTTP Header or Cookies prior to
      requesting file from server, then Server (PHP) check if either of them is
      presence then serve the file.
    • Since you are using Apache web server, you could use RewriteRule to do the same as above option.

    Example .htaccess:

    Check for Cookie:

    RewriteEngine on
RewriteCond %{HTTP_COOKIE} !YourMagicCookie=123456 [NC]
RewriteRule ^ - [F]

    Check for custom HTTP header:

    RewriteEngine on
RewriteCond %{HTTP:X-YourUpdateClient} !^$
RewriteRule ^ - [F]
    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search