A template for serve-static with a direct download option (requires serve-index).

Go to file

AJ ONeal 5e4f9915e4 v1.0.4: SECURITY check file.stat & 0o0004 to ignore privatefiles		2018-08-12 04:09:24 -06:00
public	remove empty file	2018-08-12 03:33:21 -06:00
.gitignore	add deps and .gitignore	2018-08-12 03:36:55 -06:00
LICENSE	initial commit	2018-08-12 03:27:28 -06:00
README.md	v1.0.3: fix typo in docs	2018-08-12 04:03:50 -06:00
example.js	v1.0.2: created working example, updated docs	2018-08-12 04:01:01 -06:00
index.js	v1.0.4: SECURITY check file.stat & 0o0004 to ignore privatefiles	2018-08-12 04:09:24 -06:00
package.json	v1.0.4: SECURITY check file.stat & 0o0004 to ignore privatefiles	2018-08-12 04:09:24 -06:00

README.md

serve-tpl-attachment

var serveIndex = require('serve-index')({
  template: require('serve-tpl-attachment')()
});

A fork of the original serve-index template that, in combination with serve-static, provides support for direct file downloads (using the Content-Disposition attachment header).

Example Usage

var serveTpl = require('serve-tpl-attachment');
var serveIndex = require('serve-index')('./public', { template: serveTpl() });

app.use('/', function (req, res, next) {
  // enable direct downloads for express.static()
  if (req.query.download) {
    res.setHeader('Content-Type', 'application/octet-stream');
    res.setHeader('Content-Disposition', 'attachment; filename="'+
      path.basename(req.url.replace(/\?.*/, ''))
    +'"');
  }
  next();
}, express.static('./public'), serveIndex);

Additional Options

privatefiles

As an additional security precaution you can ignore files which are not world-readable.

For example, this would prevent files in a ~/.ssh from being read even when dotfiles are allowed.

{ privatefiles: 'ignore' }

var serveTpl = require('serve-tpl-attachment');

var serveTemplate = serveTpl({ privatefiles: 'ignore' })

This is most effective on Unix-based systems (macOS, Linux, Android). Windows may rely on ACLs instead of user-group-other style permissions.