Teodor, I followed the documentation trail right thru on this topic, it mainly concentrates on storing uploaded documents outside the website. This is a course of action I wish to avoid if possible.
So far I am storing my uploaded files in a dynamically named folder, which is not guessable (I believe) and your recommended line in .htaccess (Options -indexes) stops folder browsing. It does not address file security. Other suggestions like
Order Deny,Allow
Deny from All
address file security but even stops wappler from getting to the files.
So far my security is no more than the intruder not being able to guess my folder names. Is this an acceptable std? seems a bit weak to me.
To online view a PDF, my plan is to use wappler create a temp folder within the web site, copy the PDF to there from its non-guessable storage folder, and view the PDF from the temp folder with a URL. After a small period of time, wappler, on a schedule, will delete the PDF from the temp folder. That way my non-guessable folder is not revealed in the URL.
But I would still like to secure the files themselves. I have explored .htaccess documentation at length and files can be password protected. But this would stop wappler from getting to the files as well? Unless wappler can manipulate the file passwords. Alterantively, if I had .htaccess that defined a common password and .htaccess_nopassword that did not, can wappler be used to swap these files around momentarily so that passwords are effectively temporarily removed when a User wants to view a PDF.
Is this a hairbrained or naive idea, is there a better way to secure files?
As i already posted in your other topic about the same question, just follow this topic:
It explains how to secure your files from being accessed by entering the direct link. As explained in this topic:
You can disable directory listing and accessing the files via direct link using .htaccess so it will never be possible to access a file using its link even for logged in users. You then allow access to the files from your web server only.
Then you can create a server action which downloads the file(s) and protect it using security restrict, so only logged users can run it. Run in on button click.
So - use the htaccess rules provided there and use the serverside download action to get the files ... no other way to access them will work.
Ok. Just confirming. I remember now I asked this in a spearate post where I found I had to create a separate volume for persistent and secure access.
Out of curiosity, and a bit out of topic…
I don’t understand this well, but there is some apache/nginx server running to interface the NodeJS app with internet, no?
Teodor, I went thru all the documentation that you mentioned above, and picked up a new line into my .htaccess, the new line is highlighted…
That line makes all the files, not just the folders, secure, which is good.
But even wappler cannot touch the files now, as a test of my download shows…
So I read on. In the Routing tutorial, as far as I can tell routing disguises a URL to a page, which would be useful to disguise my unguessable folder names. At the bottom of the tutorial there is one line that reveals that routing can also manipulate or generate a local .htaccess, which seems very useful, I presume, to temporarily control Allow or Deny to the file of interest, solving the permission problem.
So my question is this, to view a PDF online needs to use a non-wappler page to show the PDF in its own web page, linked to from within wappler. Does routing still disguise to the URL that brings up the PDF? Or is there a wappler internal method to show a PDF?
Just use the file download action in server connect, as explained above. The rule you added will only allow to download files using the server action download action.
