Cryptic URL
This module appends a cryptographically secure token to filenames when files are uploaded. This make file and image URLs "unguessable".
Features
The most common solution for protecting certain files so that they are accessible only by certain users is to store them in a private file system. Drupal then performs the necessary access check before serving files to users. However, this comes with a performance hit, and it can cause caching issues.
This module appends a cryptographically secure token to all filenames so that their URLs become unguessable. Therefore, files can be stored in the public filesystem and only users that already have been given its URL can access a file or image.
Note that whether this technique is appropriate or secure enough for your Drupal application depends on your context. Please evaluate that carefully before adopting it.
Future development
More related features could be added to this module, such as support for:
- Configuring on which file systems and fields to append the token
- Applying the same technique to other URLs e.g. content items or products
- Configuring an expiration time
- Configuring the size of the token i.e. the security level
- Support different token generation algorithms
I currently do not have the use cases for these features so it is unlikely that they will be developed soon. Merge requests or sponsorship are welcome.
Post-Installation
Currently, the module applies the feature to all files across the system. There is nothing to configure.
Requirements
Drupal 9.0+
PHP 8.0+
Supporting this Module
Create issues in the Drupal.org queue, submit MRs. If you are interested in sponsoring this module to add more features, contact the module maintainers.