• Members 53 posts
    March 29, 2018, 9:22 a.m.

    since some image / attachment is private that can not be access by others.. seem the path 'media/attachments/' is public that can be access by anyone online...

    if possible add verify login on somewhere ? maybe Django can do this ?

  • March 29, 2018, 10:20 a.m.

    As long as you disable indexes for your static and media file, the only way to download attachment is to knowing link to it, and this isn't that simple, because there's 64-characters long string that needs to be guessed along the way.

    The assumption for not gating those files out behind Django is twofold:

    • This is extra load on Django
    • You'll need to setup x-send-file to delegate file downloading to your HTTP server
    • "Leaker" may as easily download the file himself and put it up elsewhere
    • You don't upload super-secret stuff to internet forum

    We could gate those out using expiring web token like JWT that we would put in the URL's to attachments and your HTTP server or media store would then validate using shared secret. That way any link to files being leaked would expire on its own in 15-20 minutes. This is how big guys like FB and others do it.

    Anything more than that is IMHO not worth the candle - the downloadable file will eventually be reuploaded elsewhere by someone who has access to it, because thats how files were spreading over the internet since always.

  • Members 53 posts
    March 29, 2018, 11:54 a.m.

    looks complex very, I just want keep the private images as safety as possible , seem the best way should be put the images to independent server for this purpose ...