Protecting Download Archives

What this section covers

Hosting downloadable files (software archives, documentation PDFs, media files) introduces unique security challenges. This guide covers strategies to protect both your infrastructure and your visitors.

Why download security matters

Download archives present risks:

• Malware distribution: Attackers may replace legitimate files
• Bandwidth abuse: Hotlinking and scraping consume resources
• Legal liability: Hosting unauthorized or harmful content
• Integrity questions: Users need confidence files are unmodified

Security strategies

File integrity verification

Provide cryptographic proof files are authentic:

Checksums for every download:

file.zip (10.2 MB)
SHA-256: a3b5c7d9e1f2a4b6c8d0e2f4a6b8c0d2e4f6a8b0c2d4e6f8a0b2c4d6e8f0a2b4

PGP signatures (for critical software):

• Sign archives with GPG key
• Publish public key on keyservers
• Include signature file (.asc) alongside download

Access controls

Prevent unauthorized modification:

• Read-only hosting: Deploy downloads from Git (immutable)
• CDN caching: Serve from edge, not origin
• No upload endpoints: Static sites eliminate upload vectors
• Access logging: Track all download requests

Malware scanning

For user-submitted or legacy content:

• VirusTotal API integration for scanning
• ClamAV for open-source scanning
• Quarantine suspicious files
• Clearly label file sources and verification status

Download page best practices

Every downloadable file should have a reference page:

Required information

1. File description: What it is, what it does
2. Safety status: Verified/unverified/community-submitted
3. Checksums: SHA-256 minimum
4. File size and format: Help users verify downloads
5. Source: Where it came from originally
6. Last verification date: When you last scanned/checked it

Example download page structure

## Download: example-tool.zip

**Status:** ⚠️ Community Archive (Unverified)
**Size:** 2.4 MB
**Format:** ZIP archive
**SHA-256:** `abc123...`

### Safety notes

This file was archived from a historical source and has not been verified by wplus.net. Users should:

- Scan with up-to-date antivirus
- Verify checksum matches
- Use in sandboxed environment
- Consider alternative verified sources

### Related documentation

- [Using tool X safely](/guide/tool-x-safety/)
- [Sandbox testing guide](/security/sandbox-basics/)

Bandwidth protection

Prevent hotlinking and scraping:

Cloudflare techniques

• Hotlink protection: Block referrers from unauthorized domains
• Rate limiting: Limit requests per IP
• Bot fight mode: Challenge suspected automated access
• Signed URLs: Time-limited download tokens

Technical implementation

In _headers file:

/downloads/*
  X-Robots-Tag: noindex
  Cache-Control: public, max-age=31536000

In _redirects:

# Block hotlinking to downloads (except from wplus.net domains)
/downloads/*  https://wplus.net/downloads/hotlink-info  403  conditions=Referer:!*wplus.net*,Referer:*

Related sections

• Operations hub — Monitoring and integrity checks
• Infrastructure hub — CDN and hosting setup
• Legal hub — Copyright and liability considerations

Technical glossary

Checksum : Cryptographic hash verifying file hasn't been modified (SHA-256, MD5)

Hotlinking : Direct linking to files on your server from external sites, consuming bandwidth

PGP/GPG : Public-key cryptography for signing files and verifying authenticity

Rate limiting : Restricting number of requests from a single source within time period

Sandbox : Isolated environment for testing potentially unsafe files