Today I got an issue, which says I should hide some files from the public. Actually these are some "user specific" files so others than the owner should not be able to see them.
I didn't want to read the files with fread or something like that if there are other options so I did some research about the problem and found X-Sendfile mod for apache on an other thread here on SO.
It works almost as I need it. Except one thing. The files are hidden with htaccess, they aren't visible for the "world" and I can serve them with X-Sendfile header after authentication.
BUT what if someone create a php script what does the same thing as mine? Users may remember the urls for the files. The files will be available for them. That's bad...
Do you have any idea what can I do to prevent others than the owners to access their files without permissions? I need a solution for nginx at first.
The files are on a server without PHP, it's only a static file server.
Moving files to an other directory won't work, it would make much more pain.
Thank you
UPDATE It seems like I missed that the downloaded file was 0Kb or something like that, because I wasn't able to do the trick again.
BUT what if someone create a php script what does the same thing as mine?
Why are you letting users upload arbitrary code?
Users may remember the urls for the files.
Users will never see the URLs except for the script that uses X-Sendfile.
Do you have any idea what can I do to prevent others than the owners to access their files without permissions?
Verify their auth in the script that uses X-Sendfile.