[vox-tech] Apache question: preventing direct access to files
Micah Cowan
micah at cowan.name
Thu Mar 10 15:47:58 PST 2005
Richard S. Crawford wrote:
>We've got some .pdf documents on our website that we'd rather people not
>view by directly typing the URL into the browser; we want them to get
>there via a link.
>
>My boss is convinced that we can do this using the same tricks with the
>.htaccess file that can be used to prevent images from being stolen. I'm
>not entirely sure about that.
>
>
Isn't it exactly the same problem, though? In either case, you're trying
to make sure that HTTP's Referer field is set.
>#<FilesMatch "\.pdf$">
>#SetEnvIf Referer "http://152.79.198.7" local_referrer=1
>#Order Allow, Deny
>#Deny from all
>#Allow from env=local_referrer
>#</FilesMatch>
>
>
The above seems right. I don't know whether there are bugs in it, or
what, but that's the idea.
'Course, nothing's gonna work if it's commented out ;-)
It's not foolproof: with wget, for example, you could forge a Referer
field. But the chances of encountering that are pretty low; and anyway,
there's not much you could do about it, short of actually authenticating
the tokens.
Since you seem to be using ColdFusion (evidence has been snipped), you
could probably write a short wrapper that will serve up the pdf file if
the person "deserves" it; and remove the PDF files to outside of the web
docs repository.
BTW, don't ColdFusion suck? :-)
-Micah
More information about the vox-tech
mailing list