1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

securing locally hosted files

Discussion in 'XenForo Questions and Support' started by Ryan Kent, Mar 25, 2011.

  1. Ryan Kent

    Ryan Kent Well-Known Member

    I have movies, images and other files which I would like to keep available through my forums/site, but I never want users to be able to type a server path and access. I just realized that if a user knows the correct path, they can type in the URL and have a full index of all my media files.

    How can I secure all my site so it remains accessible through cPanel and the normal XF software, but not by typing in a URL?
  2. Onimua

    Onimua Well-Known Member

    The simplest way would be to put an empty index.html file I think.
  3. Ryan Kent

    Ryan Kent Well-Known Member

    That works for removing the index of all files, but if a user knows the file name, they can still download the file.

    My site offers original video content not found on YouTube nor anywhere else on the web. If someone was to download a copy of my videos and publish them elsewhere, it would be a concern for me.
  4. D.O.A.

    D.O.A. Well-Known Member

    It all comes down to one thing
    I think you'll find this article interesting.
  5. Ati

    Ati Active Member

    You need to put the files in a directory that is either not accessible from the web directly (outside your web root), or is protected from a .htaccess file to not allow any downloads (in this case it can be inside your web root). A typical .htaccess file in this case would contain the single line "deny from all".

    The next step is to create a file that fetches and relays the contents of the protected directory to the user. This should contain some form of authentication. Also be sure to check if they are not trying to access files outside your download directory.

    A simple script without any authentication and additional checks might be something like this:

    if (isset(
    $_REQUEST["file"])) {
    header("Content-type: application/force-download");
    header("Content-Transfer-Encoding: Binary");
    header("Content-length: ".filesize($file));
    header("Content-disposition: attachment; filename="".basename($file).""");
    } else {
    "No file selected";
    Code taken from http://www.higherpass.com/php/Tutorials/File-Download-Security/

    The above page has some more info on it.

    I must emphasize: be sure to add security checks, the above code in itself is not secure! It can potentially send other files to the user, and needs to be limited to a certain download directory!
  6. Brett Peters

    Brett Peters Well-Known Member

    about the only thing that i could sugest is watermarking your videos

    If you do try to secure your videos make sure you check it with one of the many FF video download add-ons

Share This Page