openpolitics.com

Django – Understanding X-Sendfile

I’ve been doing some research regarding file downloads with access control, using Django. My goal is to completely block access to a file, except when accessed by a specific user. I’ve read that when using Django, X-Sendfile is one of the methods of choice for achieving this (based on other SO questions, etc). My rudimentary understanding of using X-Sendfile with Django is:

1. User requests URI to get a protected file
2. Django app decides which file to return based on URL, and checks user permission, etc.
3. Django app returns an HTTP Response with the ‘X-Sendfile’ header set to the server’s file path
4. The web server finds the file and returns it to the requester (I assume the webs server also strips out the ‘X-Sendfile’ header along the way)

Compared with chucking the file directly from Django, X-Sendfile seems likely to be a more efficient method of achieving protected downloads (since I can rely on Nginx to serve files, vs Django), but leaves 2 questions for me: