- Read time
- 2 min
- Words
- 280
A protected download is not secure because its path is difficult to guess. If the browser can request a file, the server must decide whether that specific request is authorized, which asset may be returned, and how the response should behave. The file path is an implementation detail; the authorization decision is the product boundary.
Start with an allowlist of document identifiers and server-owned locations. Never accept an arbitrary filesystem path from the client. Validate the request shape, authenticate or verify the access grant, and bind that grant to the intended resource. If access is time-limited, define both the expiry rule and the recovery path. Failure responses should avoid revealing private paths, secret identifiers, or whether unrelated assets exist.
Response headers matter. A sensitive document normally needs private, non-cacheable delivery, an explicit content type, a safe download name, and defensive content-disposition handling. Range requests require careful parsing so a malformed or oversized range cannot become an availability problem. Logs and analytics should record useful operational events without capturing access tokens or document contents.
Free public templates have a different contract. Their paths can be direct, but the files still need provenance and hygiene. Visible placeholders should replace personal facts. OOXML metadata, comments, tracked changes, hidden text, relationships, and rendered pages should be inspected before release. Public does not mean unaudited.
Finally, test both permission and denial. A valid grant should reach only its allowed file. Missing, expired, malformed, and cross-resource attempts should fail predictably. Verify headers and byte behavior, not merely the status code. Secure delivery emerges from these connected controls. An unlisted URL may slow casual discovery, but only a verified authorization flow protects the resource as a system.