Hidden Download still can be downloaded


Nextcloud version (eg, 20.0.5): 24 or latest
Operating system and version (eg, Ubuntu 20.04): Ubuntu 20
Apache or nginx version (eg, Apache 2.4.25): Apache 2.4.41
PHP version (eg, 7.4): 7.4.3

The issue am I facing:

I have a file that is shared publicly, and I turned on hidden downloads and turned off the edit permission. However, I found the trick to download the file, just add /download after the public link. Example:

Is this the first time you’ve seen this error? (Y/N): Y

Hi @Fajri_Siddiq

It’s working as designed. The ‘Secure View’ feature respective the ‘Hide download’ checkbox just removes the buttons for downloading the files from the UI. It doesn’t offer any real protection. See here for more info… Secure view - Prevent your shared files from getting downloaded - Nextcloud


@Fajri_Siddiq @bb77
I think with a change in the programming the /download-path also can be disabled. Maybe you like to write an issue.

But also then you can use browser dev functions (F12) and download the file. Also i think you can find the viewed (downloaded :wink: ) file always in your cache.

1 Like

oh is that true? Because i found the article that says the bug is fixed

Sorry, forgot the link:

Oh okay… Is there any other way to prevent the user from downloading? Probably using another app like collabora maybe?

Doesn’t really matter imho. Even with that fixed you would still be able to obtain the link by using the Network Monitor in your browser. You can’t really protect your files from being downloaded. If you serve them to someone they can be downloaded. That’s just how the internet works. Otherwise you would have to implement some kind of DRM protection similar to what the big streaming providers do.

Regarding the the specific “Hacker One” issue you mentioned, you might want to check on GitHub to see what the status is…

1 Like

I tested it with Collabora Online and OnlyOffice (both hide download). In both cases you can add /download to the share url to download the file. Maybe someone can create an issue.

It’s really a moot point because no matter how you shake it, you are sending the data to the client anyway. You can’t realistically send data to the client and expect to prevent them from being able to save it locally.


Hi. You wrote in the last years in HackerOne .
I think @KarlF12 is right but is there a possibilty to also deactivate /download in option “hide download”? Is there an issue? Can you create an issue? Maybe it increases security a little bit.

The /download endpoint is used by the viewers to show PDF, images, videos and more. It’s exactly the reason why the feature is called “Hide download” not “Prevent download”.
Anything you want people to see needs to be downloaded to their computer in one way or the other.


while I absolutely agree there is no absolute security, such a feature should be more than just deactivating download buttons… e.g. /download endpoint could be restricted to the server itself and authorized WOPI endpoints , so nobody could download the file… copy&paste must be disabled etc…

definitely at last resort you can’t prevent screenshots (or captures using external device) but the user could expect little more protection behind a feature called “Secure View”… otherwise I would suggest to remove it completely as the name is misleading (same as Tesla’s “Autopilot”)…

1 Like

I also think that Nextcloud is making it far too easy for itself at this point. But maybe Nextcloud just thinks users are stupid.

a.) Distinguish at “download”.
b.) remove hide download

I wrote an issue.
You can like or dislike the issue.