php – Is htaccess protection for images secure enough?
Let’s suppose I want to intercept all public traffic trying to reach any image under the
All those requests should be processed by a PHP script in a file called for example
secure-view.php living inside the uploads folder.
I would put something like the following into an
.htaccess file inside the uploads folder:
RewriteRule ^(.+).(png|jpg|gif)$ secure-view.php?file=$1.$2 [NC,L]
Now, inside the
secure-view.php file I can do whatever I want, like checking if the visitor is logged in and does have permission to see the matched file.
Then I can display the actual image or an error.
I wonder if I can rely on such a security measure for images containing sensitive data. In this case it would be pictures of the person in underwear (for a fitness coaching plan).
An alternative would be to upload those images to a folder above the document root, so that they can only be loaded via PHP. But if the proposed method is fine enough, I would like to stick to it to also use the benefits of the WP Media Gallery and the builtin media upload API.