How To Handle Static/media File Permission On Flask?

I've created an application in which media files(files that are uploaded by users, not css/js) are served statically by another server on the subdomain like: media.example.com/path

Solution 1:

Serve your image through Flask instead of your web server, treat it like any other url with permissions. Nginx is obviously a much better choice to serve your static files but it won't integrate with Flask.

Solution 2:

You seem to be seeking a solution in which the webserver (nginx) knows things which only the application (flask) knows: whether the requesting browser has authenticated their session.

It might be possible to devise some crafty solution such that the application leaves enough clues lying around for nginx to inspect, but it is not common and, if you're asking the question, probably too tricky-woo for you to perfect a reliable solution.

For example, the application might write to an htaccess file and implement an auth_basic_user_file via the browser. But I wouldn't recommend it.

Or you might attempt security by obscurity by putting the static files into a randomly created subdirectory. eg /static/12340A9BN34/secret_img.jpg. But, again, there is no real security here; if you have the path: you have the file.

Someone smart might post a great answer that shows you how to do it, but I'm skeptical that there is a way for you to (trivially) restrict access at the webserver level via application level knowledge.