Securing image / static content

I have some images under /public/images/ in a RoR application. I am
accesing the images from view templates using standard html tags. Since the images are under a public directory they can
be accessed by anyone (not coming through my application).

What is the best way to keep my images accesible only to authorized users?
I cannot keep them in a non public dir because will not work then.


Keep the images out of the public dir (say RAILS_ROOT/assets/images)
and then write an ImagesController that will serve up the images by
setting the appropriate content-type and using send_data/Ruby IO.

Thanks for the response.
Wouldnt using send_data be inefficient as the bytes will be read in the server memory first?
How can Ruby IO be used?


I’d add to what ljredpath suggested. Keep your images in an assets folder, but if you use Lighty, an X-Sendfile header will work wonders, as Lighty itself will fetch the file for you. Read more about that here: (I’m waiting for this too:

This is probably the most “efficient” solution.