.htaccess Trick To Proper Download Binary-Files

Add this to the .htaccess at your website’s root.
It will make sure binary files are
– fully supported on parallel and multi-download managers.
– explicit download-supported on older browsers.
– not sniffed for type (first few bytes).
– have proper name addition to Content-Disposition, even long names are supported.

the rule below includes a lot of extension
mostly I’ve extracted from 7Zip, WinRAR, WinZip, Adobe Audition and UltraISO.

it also prevents files from being executed from your website,
on client’s desktop or mobile phone, especially XPI (Firefox extension) and CRX (Chrome extension)
which won’t be jumping warnings from the browser (so you can finally host them safely).

naturally don’t expand the rule below to web-extensions such as PHP, HTM, HTML, swf or JS otherwise your website file will suddenly be downloaded instead of being parsed..

old file-extensions such as vbs are recommended to being added, again this adds security measure, to prevent script execution (mostly from Internet-Explorer users) on their desktops.

<FilesMatch "\.(?i:000|001|002|7z|7zip|ace|aif|ape|arj|ashdisc|au|avi|b5i|b5t|b64|b6i|b6t|bat|bhx|bif|bin|bwi|bwt|bz2|bzip|bzip2|c2d|cab|ccd|cda|cdi|cel|cif|cmd|command|cpio|cpx|cue|daa|dao|db|dbl|deb|dmg|dvd|dwd|fat|fcd|fla|flac|flp|gi|gz|gzip|hfs|hqx|iff|ima|img|iso|isz|jar|lcs|lha|lzh|lzma|m4a|mac|mdf|mds|mim|mp\+|mp\+\+|mp1|mp2|mp3|mp4|mpc|mpg|mpp|ncd|nrg|ntfs|off|p2i|pcm|pdi|pxi|rar|raw|reg|rif|rpm|sam|smp|snd|sql|sql3|sqlite|squashfs|svx|swm|tao|tar|tar\.md5|taz|tbz|tbz2|tgz|timg|tpz|txz|tz|uif|uue|vbs|vc4|vhd|voc|vox|wav|wim|wma|xar|xmd|xmf|xpi|xz|z|zip|zipx)$">

##optional - will force download, but will also make HTML5 resources for audio/video not-work no older browsers.
#  <IfModule mod_mime.c> 
#    ForceType application/octet-stream
#  </IfModule>
##

  <IfModule mod_headers.c> 
    ##fix a bug in old GoDaddy servers.
    Header unset X-Content-Type-Options
    Header unset Content-Disposition

    ##prevent mimetype sniffing (first few bytes can determine that a file should be opened in browser).
    Header set X-Content-Type-Options "nosniff"

    ##extract filename, apply to proper (for example) Content-Disposition: attachment; file="my music.mp3"
    SetEnvIf Request_URI "^.*/([^/]*)$" FILENAME=$1
    Header set "Content-Disposition" "attachment;filename=\"%{FILENAME}e\""
    UnsetEnv FILENAME
  </IfModule>

</FilesMatch>

Content-Disposition Header – Like A Boss 👔☕

##place inside a folder that contains some music videos and documents, this will override the default handler.

<FilesMatch "\.(mov|mp3|pdf)$">

  <IfModule mod_mime.c> 
    ForceType application/octet-stream
  </IfModule>

  <IfModule mod_headers.c> 
    ##fix a bug in old GoDaddy servers.
    Header unset X-Content-Type-Options
    Header unset Content-Disposition

    ##prevent mimetype sniffing (first few bytes can determine that a file should be opened in browser).
    Header set X-Content-Type-Options "nosniff"

    ##extract filename, apply to proper (for example) Content-Disposition: attachment; file="my music.mp3"
    SetEnvIf Request_URI "^.*/([^/]*)$" FILENAME=$1
    Header set "Content-Disposition" "attachment;filename=\"%{FILENAME}e\""
    UnsetEnv FILENAME
  </IfModule>

</FilesMatch>

forcing type / because of ‘reasons’? 👐
If this header is used in a response with the application/octet- stream content-type, the implied suggestion is that the user agent should not display the response, but directly enter a `save response as…’ dialog.


also edit your HTML so links would use HTML5’s download attribute:

<a href="mydirectory/my%20music.mp3" download="my music.mp3" type="application/octet-stream" title="click to download">hello!!</a>

(which is good enough for Google).

✨And, naturally.. 👀 you can combine both of the solutions!

reference: W3 / Protocols – RFC2616 (Section 19).

also answered on stackoverflow