I have an application that allows users to export data to a CSV file. The export works by generating a URL to the CSV file that the user can click to download.
The problem is that after the initial download, the URL still exists and allows access to the CSV file. I tested this by manually copying the link after the initial download and was still able to access the CSV file without requiring a login.
This is a security concern because the CSV contains sensitive personal information. If someone was monitoring network traffic or able to sniff the link, they could gain ongoing access to download the CSV file even after the initial user downloaded it.
The ideal solution would be to destroy or invalidate the URL immediately after the authorized user’s first download. This would prevent further access to the CSV file.
Can someone tell me if there is a way to expire the URL right after the CSV file is downloaded the first time? This will ensure the CSV can’t be accessed again via the original link.