Secure PDF Download

I’m not sure what category to put this under, but I’m reaching out to the Forum to get some sage advice on how to handle a “Free Download” website feature. I want to have several free PDF downloads upon filling out a form or quiz funnel. However, I’m not sure how to handle this on Treepl.

I know I can have a “members only” section but even I get annoyed when I respond to a free download and they want me to set up an account. I think that method will lower my conversation ratio.

I’m guessing the next option is to have an auto responder email with a link or PDF attachment. I know the attachment has a high chance of triggering the email into a Junk folder. That leaves the email autoresponder with a link.

If I have an email autoresponder with a link to a page, how do I make it secure? I don’t want the link to be accessed by just anyone with the URL.

So, what are my best options? How are you handling this feature?

Thanks in advance for your advice and suggestions. Patricia

If the download link is publicly accessible then there is no real way to protect it.

But one way to make it more difficult is to capture something specific about the user and use that data to identify them when they try to access the link later.
For this, we really only have their IP address (and this is not 100% reliable).

So you could capture their IP address in the initial request form.
Then, in the autoresponder, construct a link to a download page (not the file directly) with the IP address as a URL parameter.
Using Liquid on that page, check if the IP in the URL matches the user’s current IP address.
If it does, show a download button.
If not, show an appropriate message and/or provide the request form again so they can resubmit with their now current IP address and try again (because it’s likely that their IP has changed if they’ve left it too long to download the file).

The download button you show will have a public link to the file, which the user could find and share, but it at least makes it harder for them.
If you really needed to secure this file, you could put it behind a secure zone and have a single generic login which you then submit a hidden login form in the background before showing the download button.
So even if they do share the link, no one else can simply use it without qualifying the other checkpoints.

Not 100% secure or fool-proof, but should be good enough to stop most cases of link sharing.

Alternatively, for a low-tech option, every so often just change the location of the file so anyone using an older link will come to a dead end.
The frequency of change would depend on the traffic volume requesting the download, and you may stop a few legitimate users from accessing the file but it’s a simple option.

Perhaps combine both techniques together for an extra layer of security…

Hopefully, this offers some food for thought.
Would be interesting to hear other partners ideas on this too.

It doesn’t have to be super secure. I just want to be able to get led information from the download. What if I charged a small amount for it let’s say $7.00, but for some of my promotions give out a free coupon code?
Thanks for your input.

Charging for the download doesn’t really change anything regarding the ‘security’ of the file download link.
Unless you implement it as an eCommerce product with a downloadable file - where the system generates a unique download link and you can limit the number of times it’s downloaded per purchase. But I doubt introducing a shopping cart workflow would be desirable for your use case here.

1 Like

I created an adequate method for similar purpose that presents the download link on the success page following form submission.

In my case there’s a custom module with multiple list items with each having a file to download. The objective is to have the user submit their details to access the download link.

In the custom module I have a custom Media field called “File”. The file is added/uploaded when creating the items.

On the front end the list items display a button to “Get Download Link”. The button opens a popup modal containing a form for the user to submit their info. The form includes a hidden field:

<div class="hide">
<input class="hide" type="text" id="downloadlink{{counter}}" 
name="downloadlink" value="{{this['File']}}">

The success page (Admin > Settings > System Pages: form-submission-results) includes the following section to display a download button when applicable.

{% if this.formSubmissionData.fields.custom.downloadlink.value != null %} 
           <div class="text-center"> 
             <a class="button btn btn-primary btn-lg" 
href="{{ this.formSubmissionData.fields.custom.downloadlink.value }}">
Download Your File</a>
	{% else %}
	          <h1 class="system_title">Thank you.</h1>
                  <p class="system_text">Your request was successful..</p>
        {% endif %}

It’s not secure. But the user only gets to see the download button once. Hopefully this offers some ideas.