i have some problem with .htaccess file.
For prevent download or print of pdf documents , i am using PDF.js for reading contents. Now i want to disable direct http connection to those files. Inside the pdf.js folders, i put a directory called "doc", that contains all items and this .htaccess:
Order allow,deny
Deny from all
<Files ~ "viewer\.html$">
Allow from all
</Files>
Where viewer.html is the page that contains the documents reader.
So, when i try access from my browser to
localhost:8080/test/pdfjs/web/viewer.html?file=doc/mondia.pdf
i get:
Unexpected server response (403) while retrieving PDF "../test/pdfjs/web/mondia.pdf"
Where i am wrong?
If PDF.js is running inside the user's web browser, then the user needs to be able to download the PDF document. Apache can't (reliably) tell the difference between "PDF.js on the user's computer" and "Google Chrome on the user's computer" - both are HTTP requests from the user's computer for the resource.
If you really wanted to, you might be able to detect some header set by PDF.js when it requests the PDF, and refuse requests without that header. That would stop casual users directly accessing the file, but anyone who presses F12 in their browser could see the PDF being downloaded by PDF.js and save the contents from there.
Even if you served it in some form other than PDF, the user could copy and paste the resulting HTML, or take a screenshot of how it renders to the screen.
Stopping a user doing something with their own computer is fundamentally hard; if they can read something on their screen, you have sent it to them in some form. To really block them, you need a trusted "DRM" encryption system that renders directly to screen without ever making decrypted data accessible to the user. In the vast majority of cases, that would be completely overkill, and just annoy your users (for instance, blind users probably won't be able to access the content, as their screen reader software will not be trusted).