How to secure a private file in Drupal

February 01, 2023

Tags: Technologies, IT Staff Augmentation



Among the most popular CMS solutions is Drupal, the most famous content management system after Wordpress, and the most secure against cyber-attacks currently on the market.


It is one of the most scalable and robust CMS systems, perfect for creating web pages where constant content changes and updates are needed, in addition to all the features and specials that it offers developers and site administrators to customize landing pages.





Drupal has a large developer community


For people who are not familiar with web development, it can be difficult to understand the importance of an open source CMS, and what this means, especially when it is not you, as such, who will be developing this project.


Look at it this way: Drupal is an open source content management system, which means that any developer can contribute to Drupal code and improve it, improving the experience for everyone.


Even though today there is a misconception about open source systems, Drupal has an active developer community, a robust code and a strong structure that makes it one of the best CMS currently on the market.





Private file in Drupal


One of the features that Drupal offers is private files. What differentiates a public file from a private one is that it will first have to go through Drupal, which determines who can access it; Needless to add, this "pre-validation" process will slow things down a bit.


Private files in Drupal development are most often used for:


  • Online communities
  • Social intranets
  • Chat apps




How to secure a private file in Drupal


Once the user has determined the files that she wants to keep private on her web page developed with Drupal, she only has to follow a few simple steps to ensure that these are kept private and only seen by those who should.


The first steps would be to go to settings, there click on media and then on file system. Already in file systems, this route is followed:


  1. Go to settings.php and set private files directory
  2. Select "../files" as your "Private Filesystem Path" and make sure the directory is located outside of webroot
  3. Then, when setting the default download method, choose "Private local files saved by Drupal" instead of "Public local files saved by the server".


And voila, this is what is needed to secure private files in Drupal. Now users who want to download a specific file or take a look at an image, for example, will do so via a Drupal system call and not directly in their web browsers.


We recommend you on video