无法追踪的网址掩码

I want to mask a file URL on my site so that it can be accessed, but they can't find the direct URL of the file, even if the view the HTML source code. I don't know if it is possible with php, but please help me. Anything will do.

If I understand your question correctly, you want to avoid "deep linking", i.e. someone extracting the file URL from your page and using it elsewhere.

This can not directly be done, as the information is needed by the browser to access the file, and a determined attacker will quite easily be able to extract it.

There is a workaround though: Make this URL dynamic.

  • Place file outside the publically accessible web root
  • When delivering the HTML page from PHP, create a download token, that has the file path, an expiry time (and maybe other factors such as a session ID, a referrer URL, etc ...) cryptographically secured (i.e. hash it together with a server-known secret)
  • Deliver a link to a download script, not the file iself
  • inside the download script, verify the parameters and the hash, exit with a 304 (or maybe 404) if wrong
  • if verification passes, simply deliver the file

This will protect you from deeplinking in that an attacker will be able to extract an URL, that loses its validity after your expiry time. If you use an AJAX request to create the download token immediately before starting the download, you can make this quite short (few seconds)

You can't.

The browser has to know the URL to request the file from.

The browser is under the control of the user.

Any information you give to the browser, you also give to the user.