I am using internal directive to protect folder from being accessed from external requests:
location /protected_files {
internal;
}
The folder stores images.
In my frontend, I create <img> tags with some identifier to that path:
// JavaScript part that sets the path
image.src = `get_image?path=/${path}`;
So now the above code is in a loop that appends many images.
Then when the page loads it sends request to get_image URL, which in turn returns an HTTP response containing the X-Accel-Redirect header with the path of each image.
let's say the image is stored in protected_files/image.jpeg, then if I try to go in the browser to http://mysite.dev/protected_files/image.jpeg it works and I get 404.
But in the Network tab in the devtools the URL looks like http://mysite.dev/get_image?path=/protected_files/image.jpeg
When I double click it it opens the URL with get_image which does show the image.
So how can I also protect the URL that identifies the path to the image - get_image in my case, so that it won't be accessible either?
My goal is that the images would only be accessible from the page that was intended to load the images. Should I perhaps do that not via nginx and validate the request via the backend code (PHP in my case)?
