Brian wrote: > I have a flash app that accesses .xml files. > > The source is viewable and some creative crackers have figured out how to > meld a url together to get vital information from those .xml's.
Well, dont put vital information there :-) > I need to prevent the web client from directly accessing them. > > Is there a directive (such as Apache's) or mechnisim to keep web clients > from accessing yet allow my app access these files? Your flash app is a web client too and thus indistinguishable from any other web client. > Somthing like > > <FilesMatch \.(?i:gif|jpe?g|xml)$> > Order allow,deny > Allow from <some file name> ^^^^ what exactly would you want to put into this hypothetical statement? :-) > Deny from all > <some other web trick> > </FilesMatch> > > in zope.conf or ??? No. Just dont send something over the web to any client what you dont want to send to people. Everything you send can and will be read no matter whats the intended client is. SSL nor custom auth will prevent people from reading it. (see tcpflow and openssl client) Regards Tino _______________________________________________ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )