Securing files/images in laravel
Shaikh Al Amin

Shaikh Al Amin @shaikhalamin

About: Senior Software Engineer | Frontend Specialist | Laravel, Express,React

Location:
Dhaka
Joined:
Oct 9, 2020

Securing files/images in laravel

Publish Date: Jul 27 '23
0 0

If you put a file in public folder it will be accessible to everyone who knows the file name, because nginx/apache rewrite rules used by Laravel only apply to non-existing files, so Laravel won't even be run when accessing an existing file.

So, you still have to put restricted files somewhere out of public folder. Maybe in storage folder, but ultimately it doesn't matter.

And yes, you should just use Response::download.

Make a small FileController:

class FileController extends Controller {
    public function __construct()
    {
        $this->middleware('auth');
    }

    public function getFile($filename)
    {
        return response()- 
                 >download(storage_path($filename), null, [], null);
    }
}
Enter fullscreen mode Exit fullscreen mode

The fourth argument of download() being null prevents the Content-Disposition header being set to attachment. So your browser won't ask you save the file, but just show it.

Then add a route:

Route::get('file/{filename}', 'FileController@getFile')->where('filename', '^[^/]+$');
Enter fullscreen mode Exit fullscreen mode

And that's it. Now, your authenticated users can download files from storage folder (but not its subfolders) by calling http://yoursite.com/file/secret.jpg. Add you can use this URL in src attribute of an image tag.

Comments 0 total

    Add comment