Gated Content, User Accounts and File Access by Browser

Hello Webflowers,

So I have a user area on my site with most of my CMS as the gated content.

Obviously unless someone has an account, access to the content is not permitted.

But I have noticed that access to the content is available if someone has the direct link to an asset.

Namely the assets-global.website-files.com link.

This content is suppose to be gated, that’s the whole point of a user area.

I have 3 questions:

  1. Could I have done something wrong? (Setting up user areas is pretty basic, not sure how I could have stuffed it up)

and if not (not a developer so sorry if this is a stupid question),

  1. Is it just that Webflow hosts the CMS else where and delivers it to our sites from there and technically even though it’s suppose to be gated, it’s actually not, because the link to it is not on our domain?? - I’m assuming that because the pages are on our domain that’s what gets gated not the content if it’s from the CMS.

Ideally if a validated User were to view the page source code and say (cheekily) pass those files out to the world, it would be great if trying to access that file resulted in an “access denied” scenario.

  1. If 2 (or something else is the case) - is there a way to truly gate CMS content on Webflow? Do I need to set up the CMS differently? Would it be possible to use the custom attributes somehow to create an “access denied” scenario if the link were to “escape” the user area??

Completely clueless as how to handle this or even if it’s possible.

Any thoughts and ideas would be greatly appreciated.

@Jodie - Nice to see a complete inquiry, and thanks for taking the time to articulate your needs.

  1. Yes. Webflow uses a CDN where assets are public. Your access control rules affect the page, not linked public assets. Anyone with a link can do what they wish: download, share, or show on another site at your expense (traffic).

  2. To indeed gate assets, you would need to use something like Memberstack, which can provide tools for securing https://docs.memberstack.com/hc/en-us/articles/15074205669403-Hosted-Content. I don’t know if that encompasses actual access control on the asset. They could answer that. Alternatively, you could build something custom. The challenge would be integrating auth since the API has limits.

Since Webflow ceased developing members, I don’t recommend the product for handling this scenario as it is obviously incomplete. If you need a better solution, feel free to reach out; I have lots of experience with other tools that can do the job.

Thanks @webdev - Not being very techy I’ve cottoned on to this way too late.

Copyright is front and center of my mind and the main reason I was looking to gate content assets on my site.

Any input on other tools that can do the job would be much appreciated, thankyou.

I’d recommend that you check Memberstack first also, it may have some good options here for protecting files.

With User Accounts, the only solution I’ve built is a reverse proxy that sits between your users and your site. It can retrieve the access groups for the logged in users, which means it can decide what content users have access to, and it can modify and gate those asset URLs.

If you have a technical team who can build that, I’d recommend they use a 2 way hash or at least base64 encoding on the asset URLs to obfuscate them a little bit in your HTML, so that accessing the underling originals ( which are not secured ) isn’t as simple as swapping a hostname.

Always keep in mind that security the URLs still doesn’t prevent someone with access from downloading and sharing the files themselves, so I’d weigh that before you invest too much in trying to secure these. But at least it prevents URL sharing by other sites, and that content appearing in Google SERPs.

Thanks @memetican, will look into all this.

@Jodie - You could use WordPress with AAM plugin (free) which lets you restrict access to files with roles. Works great and is easy to deploy a full membership site with no strings attached. When I build on WordPress I either create a custom theme or use the Bricks Builder which is a page builder similar to Webflow but with more capabilities. This approach works great for rapid site builds you just have to pick your plugins and hosting carefully (I handle both for most clients).

If you can separate the design from the backend (traditional) then ProcessWire or Craft work great. I have had clients on Processwire where the backend ran without a single error or update (none needed) for over a decade. Very solid tool geared to developers.

If you would like to have a discovery discussion please feel free to reach out with a direct message.