Where best to store images and video?

Currently I am storing video and images inside root directory using Apache. Yesterday however, I created a folder outside root directory and tested storing video there with below .htaccess to limit file types stored there to image and video. The .htaccess worked.

ForceType application/octet-stream
Header set Content-Disposition attachment
<FilesMatch "(?i)\.(gif|jpe?g|png|mpeg|flv|mp4)$">
    ForceType none
    Header unset Content-Disposition
</FilesMatch>
Header set X-Content-Type-Options nosniff

I then discovered this article that if I understand it correctly suggests it's safer to store outside root directory. But I must create image tag src=" separate php file to serve images, - instead of image or video address like I currently have". My guess is, this way keeps the image/video folder - address - hidden. Please shed some light on this for me.
http://www.creativebloq.com/web-design/website-security-tips-protect-your-site-7122853

1. If I store outside root directory, must I use php file instead of directory address in image tag src= attribute? That is, will just an image/video address in src= attribute work? I have not tested this.

2. If I am correct, my php page as is pings the server for every call to the database. There are multiple calls to the database on each page. Now If I add to that a php file (inside src= attribute) for every image on main page to deliver image addresses, and there will be 10 or more images, will this ping the server for each image address I seek? Assume I am building the next twitter. I want to be efficient.

3. With the above .htaccess in place, is the idea of storing outside root directory (over kill) and not worth the extra pings to the server? I read that google keeps images in a blob store. Maybe that's a clue.

Thanks for your advice.
kadinAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

GaryCommented:
1. Yes - a browser only has access to your root folder and below
2. See 3
3. Yes - waste of time - if this is as some kind of security measure to protect your content then you are just wasting your time to prevent it when it is in reality doing nothing to protect your content.
If you want to stop hotlinking to your content then there are other ways to do it.
0
kadinAuthor Commented:
Thanks for your response.

Are you saying it is a waste of my time because with the .htaccess above it is already pretty secure?
What other ways of doing it are you referring to?
0
GaryCommented:
What is the purpose of what you are doing?
0
Cloud Class® Course: Microsoft Azure 2017

Azure has a changed a lot since it was originally introduce by adding new services and features. Do you know everything you need to about Azure? This course will teach you about the Azure App Service, monitoring and application insights, DevOps, and Team Services.

kadinAuthor Commented:
I forgot to mention the purpose is to prevent someone uploading a php file descized as an image file. The above .htaccess forces type and stops php's from being executed.

And the purpose is also general security for matters I am unaware of.
0
GaryCommented:
Ermmm how could someone disguise an image file as a PHP file?
For a php file to go through the PHP parser it has to end in .php
Do you mean someone uploading the file and then browsing to it?
If so just use a normal folder under your root, add an .htaccess file to the folder and in the .htaccess add this

<Files  ~ "\.php$">
  Order allow,deny
  Deny from all
</Files>

Open in new window

0
kadinAuthor Commented:
how could someone disguise an image file as a PHP file?
I read on this page that double extensions can get through. filename.php.jpg
https://www.acunetix.com/websitesecurity/upload-forms-threat/

My above htaccess should also prevent this if I read correctly here: Or at leased prevent the php file from being executed.
https://github.com/blueimp/jQuery-File-Upload/wiki/Security
0
GaryCommented:
Ok, if you use the following in your .htaccess it will block everything that is not in the image list, even if they add another extension to it like file.php.xkd

Order Allow,Deny 
Deny from all 
<FilesMatch "\.(jpg|jpeg|gif|png)$">
Order Deny,Allow
    Allow from all
</FilesMatch>

Open in new window

0
kadinAuthor Commented:
Do you think I can add what you said to what I already have? Because I think there is additional security measures in what I have.

Order Allow,Deny 
Deny from all 
<FilesMatch "\.(jpg|jpeg|gif|png)$">
Order Deny,Allow
    Allow from all
</FilesMatch>

Open in new window


ForceType application/octet-stream
Header set Content-Disposition attachment
<FilesMatch "(?i)\.(gif|jpe?g|png|mpeg|flv|mp4)$">
    ForceType none
    Header unset Content-Disposition
</FilesMatch>
Header set X-Content-Type-Options nosniff

Open in new window

0
GaryCommented:
You can do so you end up with

ForceType application/octet-stream
Header set Content-Disposition attachment
Order Allow,Deny 
Deny from all 
<FilesMatch "(?i)\.(gif|jpe?g|png|mpeg|flv|mp4)$">
Order Deny,Allow
    Allow from all
    ForceType none
    Header unset Content-Disposition
</FilesMatch>
Header set X-Content-Type-Options nosniff

Open in new window

There is no point having the folder outside your root - you are just making more work for yourself with no benefit
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
kadinAuthor Commented:
Thanks for your help. I will leave folder inside root.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Web Components

From novice to tech pro — start learning today.