I’m building an application for a company that has thousands of clients, and for each client there will a set of documents that are private to that client. Rails makes it easy, of course, to show the list of documents on a per-client basis, using acts_as_authenticated and using current_user as part of the find any time a document list is displayed.
The part for which I’m looking for the best solution is access to the documents themselves. My simple implementation has the Rails view showing a series of links to the files (which are word, excel, and powerpoint documents). The problem is that Rails isn’t involved at all in the actual document delivery, since these static files are served directly from Apache. So anyone who gets, or guesses, the URL can access these files without authentication.
I’ve come up with three possible solutions and would appreciate hearing what others have done, and whether there are holes that I’m missing, or another approach I’ve missed.
Security by obscurity. Use long random strings for the directory and file names. This is probably secure enough in practice, but certainly isn’t secure in theory and doesn’t feel quite right.
Deliver the static files via Rails. Put the documents in a directory tree outside of public and use a Rails action to read the file and deliver it to the browser. This seems like it would be secure, and doesn’t require any Apache configuration, but it would dramatically increase the server load when these files are viewed. I’m not sure whether that would be a real issue or not.
Referrer-based blocking in Apache. Set the Apache config to prohibit access to the documents directories if the referrer is not the Rails view that renders the list of files from the database. This seems like potentially the best solution but I’m wondering if there’s any security hole here that I’m missing. One weakness is that some people seem to have their web browser set to not provide a referrer, and those people wouldn’t be able to access the documents.
I’d appreciate any suggestions.