I inherited various web clients from another developer many years ago. One client site, that's probably over 8 years old, has some serious security issues. Recently, a PDF that they thought was only accessible through the client's login, showed up on a Google search, and opened just fine. Since they assumed these could only be accessed when their client's logged in, they're understandably freaking out.
I plan to add SSL so that, at the very least, their login codes are encrypted, I've also added a robot.txt file so they won't index them anymore; however, what is the best way to prevent anyone from entering www.domain.com/pdf/filename.pdf
into the browser to view these documents?
The host told me that I'd have to secure that directory with a password, meaning they'd have to log into their account, then add another username/password to open any of these files. I can't believe this is the answer. So, I'm coming to you brilliant folks.
Any ideas for how to assure this client that their private documents are private? Let me know. Thanks.