Teodor, I followed the documentation trail right thru on this topic, it mainly concentrates on storing uploaded documents outside the website. This is a course of action I wish to avoid if possible.
So far I am storing my uploaded files in a dynamically named folder, which is not guessable (I believe) and your recommended line in .htaccess (Options -indexes) stops folder browsing. It does not address file security. Other suggestions like
Order Deny,Allow
Deny from All
address file security but even stops wappler from getting to the files.
So far my security is no more than the intruder not being able to guess my folder names. Is this an acceptable std? seems a bit weak to me.
To online view a PDF, my plan is to use wappler create a temp folder within the web site, copy the PDF to there from its non-guessable storage folder, and view the PDF from the temp folder with a URL. After a small period of time, wappler, on a schedule, will delete the PDF from the temp folder. That way my non-guessable folder is not revealed in the URL.
But I would still like to secure the files themselves. I have explored .htaccess documentation at length and files can be password protected. But this would stop wappler from getting to the files as well? Unless wappler can manipulate the file passwords. Alterantively, if I had .htaccess that defined a common password and .htaccess_nopassword that did not, can wappler be used to swap these files around momentarily so that passwords are effectively temporarily removed when a User wants to view a PDF.
Is this a hairbrained or naive idea, is there a better way to secure files?
Last updated: