securing locally hosted files

Ryan Kent

Well-known member
I have movies, images and other files which I would like to keep available through my forums/site, but I never want users to be able to type a server path and access. I just realized that if a user knows the correct path, they can type in the URL and have a full index of all my media files.

How can I secure all my site so it remains accessible through cPanel and the normal XF software, but not by typing in a URL?

Ryan Kent

Well-known member
That works for removing the index of all files, but if a user knows the file name, they can still download the file.

My site offers original video content not found on YouTube nor anywhere else on the web. If someone was to download a copy of my videos and publish them elsewhere, it would be a concern for me.


Well-known member
It all comes down to one thing
Anyone who can watch your video can steal your video.
I think you'll find this article interesting.
No discussion of content security would be complete without mentioning digital rights management, or DRM. While DRM is the most secure form of content protection, it's really only suitable for large organizations, owing to its cost and complexity. DRM solutions use special cryptographic algorithms when encoding to ensure that only individuals with the proper credentials are able to decrypt and view the content, and often only after being authenticated by a DRM server or for a specified period of time. Not surprisingly, vendors charge a pretty penny for the software ($40,000+ in licensing fees are not uncommon), and this says nothing about the cost of maintaining and running the necessary server hardware.


Active member
You need to put the files in a directory that is either not accessible from the web directly (outside your web root), or is protected from a .htaccess file to not allow any downloads (in this case it can be inside your web root). A typical .htaccess file in this case would contain the single line "deny from all".

The next step is to create a file that fetches and relays the contents of the protected directory to the user. This should contain some form of authentication. Also be sure to check if they are not trying to access files outside your download directory.

A simple script without any authentication and additional checks might be something like this:

if (isset($_REQUEST["file"])) {
    header("Content-type: application/force-download");
    header("Content-Transfer-Encoding: Binary");
    header("Content-length: ".filesize($file));
    header("Content-disposition: attachment; filename="".basename($file).""");
} else {
    echo "No file selected";
Code taken from

The above page has some more info on it.

I must emphasize: be sure to add security checks, the above code in itself is not secure! It can potentially send other files to the user, and needs to be limited to a certain download directory!

Brett Peters

Well-known member
about the only thing that i could sugest is watermarking your videos

If you do try to secure your videos make sure you check it with one of the many FF video download add-ons