Has anyone tried to use X-Accel-Redirect/X-Sendfile download file method on a website hosting here?
I am a newbie here and this website is my first using Woocommerce.

The support team has installed the module on myserver per my request but not agree to modify a couple of lines on the configuration file to enhance the security recommended by Woocommerce. I tested it and it works OK without this extra configuration, but I am not sure without it, would it till be safer than Force Download method? I tried to talk to Woocommerce people too, but got nowhere with it. The support here did not rule out totally, they hinted that if I am to pay for extra support ($100/month), they might try to accommodate it. That is really not an option for me right now.

This is the line that is suppossed to be in it:

Protect WooCommerce upload folder from being accessed directly.

You may want to delete this config if you are using “Redirect Only” method for downloadable products.

Place this config towards the end of “server” block in nGinx configuration.

location ~* /wp-content/uploads/woocommerce_uploads/ {
if ( $upstream_http_x_accel_redirect = “” ) {
return 403;

It looks like I am stuck and might have to use Force Downloads instead.
It would be great to hear if anybody has any experience using it.

I’m assuming your using the plugin at https://docs.woocommerce.com/document/digital-downloadable-product-handling/

If you’re concerned about download speed and memory consumption, you could just use the “Redirect only” method. It says that it is insecure, but that doesn’t mean that hackers can get into your server, it just means that anyone could share a link to your product with others. But is that that different from a person purchasing your product, and then uploading it to a file sharing website or emailing the file to somebody else? Other than this, I believe you would still get all of the same benefits of “X-Sendfile” using “Redirect Only”.

If that extra level of protection is important to you, both “Force Downloads” and “X-Accel-Redirect/X-Sendfile” are equally safe. The difference is that X-Sendfile puts less of a strain on your server, allows for pausing/resuming downloads, and is great at handling big files, so it would be preferred when available, but both methods have the same protections against preventing unauthenticated users from downloading files they shouldn’t.

And yeah, you’re not able to make changes to the Nginx config file on your own, and Cloudways will only do it if you’re on their $100/month support plan which makes sense because once they start customizing those files, you now have a non-standard environment that could get messed up whenever they update the server each week. It’s pretty standard for hosting companies to act this way unless you pay them a lot of money.

Thanks Russell for your comments. I do not think I want to use Redirect Only, as the entire path of the files is exposed, Anyone who can see the link can download them without having to log on. I would never feel safe!

I have used Force Downloads and that seems to work OK, so I will probably carry on and do that. I’m also thinking of using Amazon S3 storage for the files. There is a lot to think about!

Thank you for your help.