Private Files

There are two types of files in Drupal, Public and Private.  Public files, like the files uploaded to your site are public files.  These are files that available to anyone that knows the URL.

If you do not want to make a file public, make it private!

To configure private files, navigate to admin > config > file system or admin/config/media/file-system

Drupal Private Files Link
The red arrow shows you where to click to access the private files configuration.

You will see four sections:

  • Public file system path
  • Private file system path
  • Temporary directory
  • Default download method

Public file system, by default is sites/default/files.  You can change this, if you want to.  Many larger multi server sites will change this to point to a shared drive.

Private files is where you want to place your private files.  When you select an area, Drupal will by default create .htaccess file for you this.  This configuration file for Apache makes the files secure.

Now you can add a field to a content type and set that field as a private file type.  First navigate to a content type and add a file field.

Drupal content types file field
Add a file field to your content type.

When you save the content type, you will be taken to the Field Settings page, from here you can decide you upload destination.

Drupal Upload destination public private files
You can select how you want your files stored.

Save the upload to private and continue to configure your field.

Warning!  Private files come at a price!  When a request comes for a private file, Drupal will boot strap that request and run through the entire process before serving that file.  Do not make all your files private!  Remember performance!