[Zope] Preventing files from being viewed by web clients
Tino Wildenhain
tino at wildenhain.de
Mon May 8 16:25:50 EDT 2006
Brian wrote:
> I have a flash app that accesses .xml files.
>
> The source is viewable and some creative crackers have figured out how to
> meld a url together to get vital information from those .xml's.
Well, dont put vital information there :-)
> I need to prevent the web client from directly accessing them.
>
> Is there a directive (such as Apache's) or mechnisim to keep web clients
> from accessing yet allow my app access these files?
Your flash app is a web client too and thus indistinguishable
from any other web client.
> Somthing like
>
> <FilesMatch \.(?i:gif|jpe?g|xml)$>
> Order allow,deny
> Allow from <some file name>
^^^^ what exactly would you want to
put into this hypothetical statement? :-)
> Deny from all
> <some other web trick>
> </FilesMatch>
>
> in zope.conf or ???
No. Just dont send something over the web to any client
what you dont want to send to people. Everything you send
can and will be read no matter whats the intended client
is. SSL nor custom auth will prevent people from reading
it. (see tcpflow and openssl client)
Regards
Tino
More information about the Zope
mailing list