Help securing files access with htaccess and php?

Question

I\'m working on a site that allows users to purchase digital content and have implemented a method that attempts to serve secure downloads.

I\'m using CodeIgniter to

Answer 1

Make it so the web server does not serve the files under any circumstances, otherwise all the checking is pretty moot. The best way to do that is to put them somewhere outside the webroot. I.e.:

/
  webroot/         <- root web directory, maybe named www or similar
    index.php      <- your app, served normally
    …other serve-able files…
  files/           <- not part of the serve-able webroot dir
    secret_file    <- web server has no access here

Then, if the only way to access them is through your script, it's as secure as you make your script.

Answer 2

.htaccess should look like this if you want them to only be downloadable from your localhost. Also, it removes some handlers that that could try to access any of the files, just in case. So that way only you have access to it. Also a good idea to store an index.php file in there that checks the existance of another file, and if exists, set the header, if not, exit.

.htaccess file:

<Files *>
    Order Deny,Allow
    Deny from all
    Allow from localhost
</Files>

RemoveHandler .php .php3 .phtml .cgi .fcgi .pl .fpl .shtml

Answer 3

why not to just Deny from All in the .htaccess? Or place files above webroot? That would be enough. But your current setup is pretty safe already. Why do you think you need any help?