Hey there, let's figure out how to block downloads for doc/docx/xls files while letting users view them online. Here are the most practical approaches, ordered by reliability:

Front-end tricks can be bypassed by tech-savvy users, so server-side settings are your best defense. The key is to set the Content-Disposition header to inline instead of attachment (which triggers downloads). You also need to ensure the correct Content-Type for each file type.

Apache (using .htaccess) #

Add these rules to your .htaccess file to target the specific file types:

<FilesMatch "\.(doc|docx|xls)$">
    # Force inline viewing
    Header set Content-Disposition "inline"
    # Set correct MIME types
    Header set Content-Type "application/msword" env=DOC
    Header set Content-Type "application/vnd.openxmlformats-officedocument.wordprocessingml.document" env=DOCX
    Header set Content-Type "application/vnd.ms-excel" env=XLS
    
    SetEnvIf Request_URI "\.doc$" DOC
    SetEnvIf Request_URI "\.docx$" DOCX
    SetEnvIf Request_URI "\.xls$" XLS
</FilesMatch>

Nginx #

Add this to your server or location block:

location ~* \.(doc|docx|xls)$ {
    add_header Content-Disposition 'inline';
    # Map file extensions to correct MIME types
    types {
        application/msword doc;
        application/vnd.openxmlformats-officedocument.wordprocessingml.document docx;
        application/vnd.ms-excel xls;
    }
}

Backend Code Example (PHP) #

If you're serving files via a backend script, set the headers directly:

$filePath = '/path/to/your/file.docx';
$fileName = basename($filePath);

// Set correct content type for docx
header('Content-Type: application/vnd.openxmlformats-officedocument.wordprocessingml.document');
// Force inline viewing
header('Content-Disposition: inline; filename="' . $fileName . '"');
// Send file size (helps browsers render properly)
header('Content-Length: ' . filesize($filePath));

// Output the file
readfile($filePath);
exit;

These won't stop determined users, but they'll block casual attempts to download.

Disable Right-Click for File Elements #

Add this JavaScript to prevent the context menu (which includes "Save As") for file-related elements:

document.addEventListener('contextmenu', (e) => {
    // Check if the target is an iframe displaying the file, or a link to the file
    if (e.target.tagName === 'IFRAME' || e.target.href?.match(/\.(doc|docx|xls)$/)) {
        e.preventDefault();
        alert('Downloads are restricted for this file type.');
    }
});

Embed Files via Iframe #

Use an iframe to display the file directly in your page, instead of linking to it. This keeps the file URL less visible to casual users:

<iframe 
    src="/path/to/your/file.xls" 
    width="100%" 
    height="600px" 
    frameborder="0"
    title="View Excel File"
></iframe>

For an extra layer of security, convert your doc/docx/xls files to formats that are inherently viewable in the browser (like HTML or PDF) before serving them. For example:

• Convert Excel files to HTML tables using server-side tools, then display the table directly.
• Convert Word documents to PDF, then render the PDF in the browser using a client-side library (no direct access to the original file).

• Server-side is non-negotiable: Frontend methods are just a deterrent. Anyone with browser dev tools can still fetch the file URL and download it. Always prioritize server header settings.
• Test across browsers: Some older browsers might handle inline disposition differently. Test on Chrome, Firefox, Edge, and Safari to ensure consistency.
• Pair with access control: If these files are sensitive, add authentication/authorization to ensure only authorized users can view them.

内容的提问来源于stack exchange，提问作者DevangPatel