Securing non-HTML content
An online banking application lets the user export account statements as text files or Excel spreadsheets. How should the application generate, store and dispatch these non-HTML content to the user’s browser?
- Maintain these files in the web server’s file system, and redirect the user to the correct file when requested.
- Store the data in a database, and create the files temporarily in the local file system when a user requests it. Then redirect the user to this temporary file.
- Store the files in a database, read it with a server program and dispatch the files directly to the browser by setting the content-type directive.
The best answer to the quiz is Option 3 - store the files in a database and dispatch them to the browser by setting the content-type directive.
The security challenge here is how to restrict access for these files to authorized sessions. When the user requests a program (like .asp, .jsp, .php etc.), the program file checks the session token and authorizations. However, when the user requests an Excel spreadsheet directly, the session tokens are not checked. If the file is stored in the web server’s file system, then any user who knows the URL can access the file. Application level permissions do not apply anymore.
A second issue is that these files get cached on the browser. A file can avoid getting cached by setting specific cache control directives. A program file like .asp has mechanisms to set the cache control directives for its output, but files served from the file system do not. These files can thus get stolen from the browser’s cache.
Option 1 of maintaining the files in the web server is clearly insecure due to the above reasons.
Option 2 is safer than 1 as the files are not permanently stored in the file system, but are deleted after a few minutes. These files however, can be accessed by any user during these few minutes. In practice, security can be enhanced by using a random file name that can’t be predicted. But these files will still get cached in the browser’s local cache.
Option 3 of storing the files in the database and streaming it to the browser with the right content-type directive is the safest option. A program can check the session token of the user, read the file from the database, set cache control directives and stream the content to the browser. The browser will also recognize the content type and call the right plug in to render it.