Download Directory, Upload File - Security Aspects

Hello, i’ve a few question related with download directory on the webpage;

  • where i should situate a folder with images, banners visible on the page? (in protected folder or directory above or somwhere else :> )

  • … and where with files for a download?

  • for the which security aspects i should watch out in designing download directory, and upload file method?

I saw on the certain page that all download files have prefix ‘xyxyxy’, where each x and y were random digits. What is the reason for using this method?

Thanks for any suggestions.

Inside web-accessible folder. For example, htdocs/images.

‘Protected’ folder is not accessible by default (and it must not be), because of ‘deny from all’ htaccess in it.

If they’re supposed to be accessible for everyone - then they should be inside web-accessible folder, like /htdocs/uploads or something.

If they’re not - you should think about how you’re planning to restrict access on them.

I think you should validate uploaded files on type and also turn php engine off for these folders (one line in htaccess)

Also make notice, that if you’re planning to keep very many uploaded files, it can slow down their output on some systems. Consider splitting them into subfolders (based on md5(filename) for example)

It’s hard to tell, but there are several reasons for that.

It can be versioning, ensuring filename uniqueness or something else.

Thank you ORey for your helpful answer :)