In a previous post, I talked about How to Automate AWeber Opt-in for Clickbank Sales, and I mentioned that it is a good idea (silly if you don’t) protect your download pages to ensure only legitimate customers who paid for your product can download it.
When I say “protect” your download pages, I do NOT mean create a crazy looking URL hoping nobody can “guess” it. This is called “attempted security by obscurity” and it does NOT work! All it takes is for someone to post the URL to your download page somewhere on the Internet and your “supposed security” is broken! The worse part happens when that link is posted on a public page somewhere and Google finds it, indexes it, and makes it available to anyone who can perform a Google search. Still think your crazy-named download URLs are secure?
I have received many questions since I wrote my last article on how to truly protect the download page, so I decided to write this brief tutorial. Although there are several products you can purchase to protect you downloads, this method does not require that you purchase anything at all…it’s FREE!
This is not something I invented. In fact, this is clearly documented on the Clickbank site. However, sometimes it just helps if someone explains it a little differently…so here it is. 
Step 1. Setup Your Clickbank Secret Key
The “Secret Key” is used to encrypt information generated by the Clickbank shopping cart regarding the purchase so that you can validate it before displaying your download page as you will see shortly. Make absolutely certain that this key is very random and is kept very secure!!!
1. Login to your Clickbank account
2. Click on the “Account Settings” tab
3. Click “My Site” on the sub-menu, below the tabs
4. Scroll down to the “Advanced Tools” section and click “Edit”
5. Enter a random “Secret Key” (up to 16 numbers and letters in ALL CAPS)
6. Copy this key as you will need it in the next section
Step 2. Edit Your Download Page
You will need to edit your download page using your favorite text or HTML editor. In order to make life simpler and avoid additional steps, your page should have a “.php” extension. I name my pages “download.php” to make it easy to remember. Name your page whatever you think makes sense.
1. Put this code at the very top of your page
Note: I mean the VERY TOP…there should be nothing above it (not even a blank line).
<?php
function cbValid() {
$key='YOUR_SECRET_KEY';
$rcpt=$_REQUEST['cbreceipt'];
$time=$_REQUEST['time'];
$item=$_REQUEST['item'];
$cbpop=$_REQUEST['cbpop'];
$xxpop=sha1("$key|$rcpt|$time|$item");
$xxpop=strtoupper(substr($xxpop,0,8));
if ($cbpop==$xxpop) {
return 1;
} else {
return 0;
}
}
if (cbValid() == "0") {
header("Location: http://YOUR_SALES_PAGE_URL");
}
?>
2. In the sample code above, replace YOUR_SECRET_KEY with the “Secret Key” you created above
3. In the sample code above, replace YOUR_SALES_PAGE_URL with the URL you want to redirect anyone who tries to reach your download page without having purchased your product. I typically set this to my sales page URL.
4. OPTIONAL: Edit the <head> section of your page and add the following META tag to ensure the search engines don’t index it:
Note: this is optional because the search engines will never be able to reach your download page, but is just an extra measure in case “something” goes wrong.
<meta name="ROBOTS" content="NOINDEX,NOFOLLOW">
5. Save your download page and upload it to your server
6. Set the new download page URL as the “Thank You Page” in your Clickbank product configuration
Important Next Steps…
Once you implement the above procedure your download page will be secure! Anyone trying to access it without actually making a purchase will be redirected to the URL you configured in the script above. Try it yourself by just typing the URL in the browser and seeing what happens.
Protecting the download page from prying eyes is great, but you also need to protect the file download link, or that link can be shared as well and your efforts from above will be in vain. Again, there are products to do this, but with some simple PHP code, you can do it for free. I will save that tutorial for another post. However, I will tell you that I use Amazon S3 to store and deliver my downloadable products. If you are interested in learning more about how to use Amazon S3 to store and deliver content securely (including streaming video, images, downloadable files, etc), you can check out my Amazon S3 Tutorial Webinar Recording, which teaches everything you need to know about using Amazon S3 securely in just one hour.
{ 5 comments… read them below or add one }
Hey Wilson,
Thanks for this post and your last post. I was able to get your last post working, but not this one. Couple questions.
1. When might you be putting out your 3rd post on protecting the download link?
2. When you say put the code at the top of your page, I assume you mean in the top of the template page, but the very top would be at the top of the header.php document. I tried in each location, but got syntax errors each time pointing to the last line of html of each document –which stumped me.
Thanks,
Mike
Very practical and useful information. I’m glad I found your blog. Be on the lookout for my purchase request for the S3 Flow Shield.
Mike,
1. Protecting download links can be done in a number of different ways. It depends on how you are hosting your downloads. I will write an article soon on how to do this with Amazon S3, my platform of choice for storing and delivering digital content.
2. I mean at the top of the page that is loading. Since you mentioned header.php I assume you are using some kind of framework or maybe even WordPress? You can put the code there. If you are putting the sample code inside PHP tags already, then remove the starting and ending php tags from the sample code, otherwise you will get the behavior you mentioned.
Wil
Hey Wil,
Just wanted to thank you for your script, just wanted to point out that you’re missing the closing bracket for your cbValid function.
Took me awhile to figure out why it wasn’t working for me!
Thanks,
Justin
@Justin,
Thanks for pointing that out. I just updated it.
Wil