Security For Downloading .bin Files

I have created .bin file download functionality. All my .bin files are stored in the 'storage/app/files' folder. User from view template press on the download button, which appeals to the controller who handles all download functionality (checking if the user is logged in, are file is existing on 'storage/app/files' folder). My question is, does it's safe to store all my important files to this folder? Do I need to write a .htaccess file?



Only your public folder (with index.php) should be accessible, this is the root directory (sometimes the directory is named public_html).

Any directories outside that (like storage/app/vendor etc.) should be unreachable by URL.

"Everything" must go through index.php first if you want to keep control of your files. So in order to serve assets like storage/app/files/xxx.png you should be using a controller. That code could look something like this:

// SomeController.php
public function showAvatar(Request $request)
    // Select the `local` disk as defined in `config/filesystems.php`.
    $disk = Storage::disk('local');
    return response()->file($disk->path('files/xxx.png'));

You can then use middleware or other code to provide restrictions to these files.