Home/ Questions/Q 4038836
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-20T12:31:22+00:00

I have a site that allow the user to request a secret report in

  • 0

I have a site that allow the user to request a secret report in a pdf format.

My idea is to put the generated pdf files in a public folder with disabled directory browsing.

Each file name consists of 128 characters that are uniquely and cryptographically generated.

The legitimate user will be given the link of his/her own report.

Is it dangerous to put pdf files with cryptographically-generated-128-character file names in a public web folder?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Well it does qualify as security-through-obscurity, so it’s frowned upon. Think about following scenario’s:

    • What happens when someone else gets a hold of the link? By snooping the connection, reading e-mails, hacking a computer which contains a bookmark/download history/cache. Since the link is always there, your document is now public.
    • If at any time in the future, a minor part of your server is compromised and the directory is indexed, even for a second, all files are public. This can be one badly-written script, one injection, one XSS-vulnerability, one currently unknown zero-day. You are exposing your documents to the weakest link.

    You should probably not do this. Instead, keep the documents at a secure location, out of the document-root. Then when an authenticated user asks for the document over a secure (HTTPS) connection, serve the document using a script that reads the document and writes it over the connection. No temporary files in the documentroot!

    • 0