How can i protect my Download Folders?

There are a variety of ways of protecting a directory from unauthorised downloading. The following notes descibe the solutions  but it is only the last one that gives full protection.

1. Include index.html file

One of the simplest methods of protecting a directory and its contents is to include a file called either index.html or index.php.  With this method if one makes a direct access to the folder then the browser will 'execute' the file.

When a new Category is created by jDownloads then an index.html file is aotumatically inserted in the directory.  The contents of this index.html file are typically as below

<html><body bgcolor="#FFFFFF"></body></html>.

If executed this causes a white page on the screen.

2. Disallow "Indexes" using .htaccess file

Another scheme  is called the "Indexes Option" which, despite its name, has nothing to do wth the index file; the Indexes Option allows or prevents the contents of a directory being listed as an index of its contents.

Most web site hosts have the Indexes option deactivated as the default.  But sometimes it is activated so visitors can browse to the download folders and see the files.

protect02A
The Indexes option sets whether someone can "browse" the directory or not. If Indexes are allowed, and the directory does not have either an index.html or an index.php file, then a browser will show the contents of the directory just like your filemanager would do as shown in the example opposite.  It simply show the directory contents as a list with links to the actual file. That is they can be downloaded by the browser.

To disallow Indexes create a file in the jDownloads root folder.with the name .htacces and include in it the single line:

Options  -Indexes

Note The default Joomla! .htaccess file includes the above option in the root of the site so all directories then have this level of protection.

3. Deny Access using .htaccess file

The above methods are effective but only if the user does not know the full filepath and file name of the file.  If the user knows that information then a browser will be able to download the file.

For example if the user knows thate the file called test.mp4 is stored on www.mysite.com in directory /dirA/subdirB then by loading www.mysite.com/dirA/subdirB/test.mp4 into a browser then that file can be 'stolen'.

To prevent this you need a .htaccess file in your jDownloads root file with the statement 'deny from all' in it.  Only php files on the site will be able to access and download the file.

This is easily implemented by using the jDownloads Configuration - Security tab and setting field 'Protect your Download-directory?' to Yes as shown in the picture opposite

  protect03

 There is however a special situation as noted in the 'red' text in the 'Protect your Download-directory?' field when previewing video or audio files.

The situation is sumarised in the two pictures below

protect05A protect04

So if you wish to have previews and you site has restricted access to downloads by say requirng points or being a member then make sure they are just a sample of the full video or audio file.

Colin Mercer, Edited May 2018
 

  • Monday, 25 February 2013