Preventing direct access to files in IIS 7

Question

I have a PHP application running on a Micrisoft IIS 7 server. The application shows PDF files on an iFrame, which contains user's sensitive data that I wouldn't like to be directly accessed by anyone that knows the file address.

So basically, I'm looking for a way to protect files from direct browser access or download, but still be able to show it on the application's iFrame.

I made some research with Rewrite rules, but since the "HTTP_REFERER" of an iFrame is empty, I couldn't find a good solution

Any suggestions for this? Thanks in advance

Answer 1

Without seeing any of your code, or how your application works, I can only give suggestions based on how I think your app works.

Rather than showing the files themselves, with links directly to those files, you should consider changing your application so that the PHP reads in the directory, displays the file names (however you want them to appear), with links that go to a download.php page. The download page (after checking whether the user has permission to download the file) then loads the file into memory and serves it out as a response (with appropriate Content-Disposition and Content-Type headers).

Since your PHP application can read files directly within the web directory, you can set up rewrite rules to prevent accessing those files from the web; that way, the files can only be accessed by the PHP application, which doesn't rely on rewrite rules to access the drive.

This is how places like Source Forge can display an advertisement with a countdown that your file download will begin in 5 seconds.