I to added a downloadable product and copied the file path and found that the downloadable product can be downloaded without logging in or even if it wasn't and can be downloaded even if maintenance mode is activated... If I have all my file names are similar, they would be able to guess all the files offered. I'm using the Force Download method and am checking to see if the XSendfile is on my server but no matter what I select it seems that the file path is accessible... I would think that it would protect the main file and auto-name random names for each purchase or something right?
My site is in maintenance mode and this test file can be downloaded ... if all packs are named texture-pack-001.zip, they would just change the 001 to 002 and have access to a pack they didn't purchase.
When I do a check on your Apache modules I see this:
[root@vps1 ~]# httpd -L | grep -i send
Controls whether sendfile may be used to transmit files
whether or not to send a Content-MD5 header with each request
The name of the X-Sendfile peudo response header or On or Off
Send buffer size in bytes
Will those provide the functionality I need XSendFile? I have XSendFile currently selected.