This time I got bad luck with Stack Overflow, you guys are my last resource, and pls be kind with a newbie. Here is the trouble: in my MEAN application I need to provide a link to download a file (tif image), the link must be hidden and not accessible by unauthorized users. So I came up with the idea of keeping the files inside the server directory and let Angular.js send with Client Side:
Template: <a ng-href="#" target="_self" type="button" class="btn" ng-click="download()">Download</a> Server Side
|
Content-Disposition: attachment; etc etc
header to the response with the file. Don't forget that just because a user can't see a link, that doesn't mean they can't access a URL. This means that you need to validate on the server side that they are authorized to access the file even if they were able to ping the URL.<a ng-href="{{file}}" target="_self"></A>
did the job without even touching the headers.Thx for the suggestion, a simple<a ng-href="{{file}}" target="_self"></A>
did the job without even touching the headers.
My link show only part of the url, but Imho there is no solution to keep things safe on the client side, even with a simple "/download/ID_IMAGE" a malicious user can easily rebuild the protected link,