Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.
By vizechef on
Although the content of the files folder is not shown by default (according to the settings of my ISP) I am pretty sure some evil users are able to hack this.
Finally - the content is also visible for bad-behaving search engines which don't care about 'robots.txt' settings.
Does anybody know if (and how) it is possible to grant Drupal users access to the files folder secured by htaccess ?
Or is there another way to limit access to the files folder ?
Comments
You can secure files using
You can secure files using .htaccess, but then you need to use private download method.
Private files
To secure your "files" directory you should move it outside of your webspace. You then have to change your file settings to "secure" in Drupal.
Unfortunately, Drupal provides two methods of serving files (public or private) but cannot offer both simultaneously. Also note that the file paths in your database will be incorrect if you move the filestore directory (if I remember correctly) so you would have to manually update them.
Why move ?
Thank you guys for helping me.
I understand I have to change my download method settings to private. But then - why should I move the files dir to another location ? It would still be the same mechanism (means 'htaccess') that secures my files.
In the forums I see that security questions like mine come up very often. I read many topics but still did not find the information I need. Do you guys know if there is a guideline available ??
Private files
I don't understand what it means to move the files directory outside of the webspace, can you please clarify?
I would like to have some files available to anyone but another set of files that are available only to users in a certain role, a la taxonomy access.
Thanks!!
With public the files
With public the files directory is available from the root of your web directory. www.example.com/files will allow you to browse.
If you move files from out of the webroot path and tell your Drupal install where it is, then it will not be browsable from a web browser and your Drupal install will have to serve the files itself.
There is a performance impact but I don't know much about it or if it's enough to be a concern.
-Steven Peck
---------
Test site, always start with a test site.
Drupal Best Practices Guide -|- Black Mountain
-Steven Peck
---------
Test site, always start with a test site.
Drupal Best Practices Guide
path?
Thanks - I did this, and when I upload a file it uploads to the right place, but the link to the file is wrong. Take a look at http://test.catya.org/?q=node/7 - I attached a file there and it put it in the right place, but the link from that page to the file didn't work.
Am I missing a setting someplace? Or is this a bug?