How can I protect my Download Folders?

Written on .

  1. Introduction
  2. Include index.html file
  3. Disallow "Indexes" using .htaccess file
  4. Deny Access using .htaccess file

Introduction

There are a variety of ways of protecting a directory from unauthorised downloading.  The following notes descibe the solutions  but it is only the last one that gives full protection.  But it also creates a restriction when dealing with media files!
In general if a file is 'not chargeable' in say points or other mechanisms then the combination of the first two methods pus the Joomla! Access and Permission features are an excellent defence.

In this article two out of the three available protecton method use what is known as an '.htaccess' file.  This file is used by the web site to enable control of many aspects, including access protection.  It is not necessary to become familiar with the details of an .htaccess file except to understand that if there is an .htaccess file in a directory then the "commands" apply to the files in that directory and those files in the entire chain all the following sub directories.     So typically an .htaccess file is placed in a root directory.
However an .htaccess file may be placed in one of these subdirectories to apply further conditions or to modify conditions set in an earlier .htaccess file.

Include index.html file

One of the simplest methods of protecting a directory and its contents is to include a file called either index.html or index.php.  With this method if one makes a direct access to the folder then the browser will 'execute' the index file.

When a new Category is created by jDownloads then an index.html file is automatically inserted in the directory.  The contents of this index.html file are typically as below

<html><body bgcolor="#FFFFFF"></body></html>.

If executed this causes a white page on the screen.

Disallow "Indexes" using .htaccess file

Another scheme is called the "Indexes Option" which, despite its name, has nothing to do wth the index file; the Indexes Option allows or prevents the contents of a directory being listed as an index of its contents.

Most web site hosts have the Indexes option deactivated as the default.  But sometimes it is activated so visitors can browse to the download folders and see the files.

The Indexes option sets whether someone can "browse" the directory or not.  If Indexes are allowed, and the directory does not have either an index.html or an index.php file, then a browser will show the contents of the directory just like your filemanager would do as shown in the example opposite.  It simply shows the directory contents as a list with links to the actual file.  That is they can be downloaded by the browser.protect02A

To disallow Indexes create a file in the jDownloads root folder with the name .htacces and include in it the single line:
          Options  -Indexes
Note  The default Joomla! .htaccess file includes the above option in the root of the site so all directories then have this level of protection.  Follow the instructions in Global Configuration - Site tab - SEO section - "Use URL Rewriting".  This involves renaming 'htaccess.txt' to '.htaccess'.  Sometimes the native file system will not carryout the renaming as it expects a 'filename' before the 'extension'.  In such a situation renaming is readily done using an FTP utility such as File Zila.

Deny Access using .htaccess file

The above methods are effective but only if the user does not know the full filepath and file name of the file.  If the user knows that information then a browser will still be able to download the file.

For example if the user knows that a file called test.mp4 is stored on www.mysite.com in directory /dirA/subdirB then by loading www.mysite.com/dirA/subdirB/test.mp4 into a browser then that file can be 'stolen'.
To prevent this jDownloads is able to add a specific .htaccess file into your jDownloads root folder.  This file then only allows php files on the site to access and download the file.
This is actioned by using the jDownloads Options - Security tab and setting field 'Protect your Download-directory?' to Yes as shown in the picture opposite.  If the setting is set to No then the .htaccess file is removed.protect03
The need to protect files from being 'stolen' is obviously very important for those sites which are effectively 'selling' the file, and also where there may be some degree of confidentiality involved.  For such sites it is strongly recomended that in the Security tab - setting 'Protect your Download-directory?' is set to Yes.
There is however a special situation when related to video or audio files.

jDownloads recognises that in a Download with a media file if you have not provided a  'preview' then it will show the full media file from the normal download area.  Importantly, jDownloads does not copy the media file to the preview directory.  This is to both save space and also allow actual pre-views to be shown as described later.

Assuming temporarily there is no separate preview file associated with the Download, then the situation is summarised in the two pictures below.  The one on the left is when protection is Yes, and the one on the right is when protection is No.  This situation may be  changed however when a preview file has been associated with the Download as described below.

protect05Aprotect04
If you do provide a separate preview file, generally a short clip, then all those actual previews are stored in a specific directory called ' _preview_files'.  To allow these specific 'previews to be shown there is another variant of an .htaccess file that basically turns the protection off for that directory and its files.
So if you set 'Protect your Download-directory?' to Yes then another setting 'Unprotect Previews Directory?' is available.  Setting this to Yes will then allow actual previews to be shown by inserting an .htaccess file that only 'unprotects' the preview directory and its files.protect06
With 'Unprotect Preview Directory' also set to yes and there is an actual preview 'clip' then the preview will be shown.
The result is summarised in the table below.

Global Tab
Send over PHP
 Security Tab
Protect Download*		 Audio/Video
shown when
no preview?
Downloadable
Actual Preview Shown
when allowed
Yes Yes No Normal** Yes
Yes No Yes Normal Yes
No Yes No No Yes
No No Yes  Yes via Browser Yes
The settings in bold are the default settings.

*It is assumed here that  'Unprotect Previews Directory?' is set to Yes.

**The file is protected from external 'download' attempts but downloading from internal PHP scripts is allowed.

To protect your files and allow downloading subject to any criteria such as points, password or similar the set the options as noted below.
  •  in Options -Global tab set 'Send over PHP' to Yes;
  •  in Options -Protection tab set 'Protect your Download Directory'  to Yes;
  •  in Options -Protection tab set 'Unprotect Previews Directory?' to Yes.
With the above settings then to show an example of either an audio or video you need to add a preview file when you create or edit the Download then in Files tab - 'Select Preview File' browse for the relevant 'clip'.
Do not use the full media file as browsers allow the file being played to be downloaded!
Many media players provide 'clipping' facilities.
Colin Mercer, April 2019

Tags: index

Print Email