0

We have a directory on our website, ./content/, that contains a bunch of subdirectories, each of which contain their own subdirectories, etc etc. In these subdirectories there are also a lot of .PDF docs that we need to prevent someone from being able to directly access, say by going directly to example.com/content/myfile.pdf.

We have the files referenced throughout our site and being loaded through Mozilla's PDF.js library so, obviously, we need to be able to have our PHP/HTML/JS files to be able to access them, but ONLY from within our domain.

I tried creating an .htaccess file both at our domain root and in the content folder to limit access but I'm still able to directly access them. Here's the .htaccess contents:

<IfModule mod_rewrite.c>
   RewriteCond %{HTTP_HOST} ^example\.com$
   RewriteRule ^$ https://www.example.com/* [R=301,L] 

   RewriteCond %{HTTP_REFERER} !^http://(www\.)?example\.com/ [NC] 
   RewriteRule ^_content/[^.]+\.(jpe?g|gif|bmp|png|pdf)$ - [F,NC]
</IfModule>

Thanks in advance.

Dan Kaufman
  • 115
  • 1
  • 13
  • 1
    You should probably serve it through PHP rather than using a referer check – Farkie Dec 28 '16 at 20:36
  • 1
    http://stackoverflow.com/questions/10236717/htaccess-how-to-prevent-a-file-from-direct-url-access – Farkie Dec 28 '16 at 20:37
  • I've played with a couple of the answers in the referenced post and they are not working for me. I'm afraid I don't know what you mean by 'serve it through PHP'? – Dan Kaufman Dec 28 '16 at 20:50

1 Answers1

0

With some modifications from the post recommended by Farkie this ended up working for me (extra HTTP_REFERER for https since we want to restrict http and https).

RewriteEngine on 
RewriteCond %{HTTP_REFERER} !^https://(www\.)?example.com/.*$      [NC]
RewriteCond %{HTTP_REFERER} !^http://(www\.)?example.com/.*$      [NC]
RewriteRule .*\.(pdf)$ - [F,NC]
Dan Kaufman
  • 115
  • 1
  • 13