Restricting access to static files using Bottle

Question

I am creating a web application using the bottle framework. Since we need to provide routes to static files such as:

  def server_css(self, filename):
    return static_file(filename, root='css')

Is there any way from restricting a user in just typing /css/file.css to access the file?

yes, the script should be able to access it, but not anyone else — user3681650, Jun 14 '14 at 02:56
you mean, you want the html to be able to use it, but no one to be able to download it? why? that's not really sensible. — Eevee, Jun 14 '14 at 04:11

score 1 · Accepted Answer · edited May 23 '17 at 11:49

No, not really.

I mean, you could come up with some elaborate, obfuscated dynamic (javascript) loading mechanism, but is it really worth it?

But you could put your sensitive files in a different, protected, location. So there'd be /css/file.css, which would be publicly accessible. Then there'd be /private/file.txt which you'd protect with your favorite flavor of authentication.

If this is specifically about hiding your css from the general public, I suppose you could try to obfuscate it, but IMO that's a bit of a fool's errand.

score 0 · Answer 2 · answered Jun 14 '14 at 03:32

0

Maybe you can check an href http headers. They might be empty when user types in browser and something otherwise.

answered Jun 14 '14 at 03:32

iamkhush

2,562
3
20
34

I think you mean Referer header. (And no, that's not a good idea.) – ron rothman Jun 15 '14 at 00:38

Restricting access to static files using Bottle

2 Answers2