send_file(path, options = {}) private

Sends the file. This uses a server-appropriate method (such as X-Sendfile) via the +Rack::Sendfile+ middleware. The header to use is set via config.action_dispatch.x_sendfile_header. Your server can also configure this for you by setting the X-Sendfile-Type header.

Be careful to sanitize the path parameter if it is coming from a web page. send_file(params[:path]) allows a malicious user to download any file on your server.


  • :filename - suggests a filename for the browser to use. Defaults to File.basename(path).

  • :type - specifies an HTTP content type. You can specify either a string or a symbol for a registered type with Mime::Type.register, for example :json. If omitted, the type will be inferred from the file extension specified in :filename. If no content type is registered for the extension, the default type application/octet-stream will be used.

  • :disposition - specifies whether the file will be shown inline or downloaded. Valid values are "inline" and "attachment" (default).

  • :status - specifies the status code to send with the response. Defaults to 200.

  • :url_based_filename - set to true if you want the browser to guess the filename from the URL, which is necessary for i18n filenames on certain browsers (setting :filename overrides this option).

The default Content-Type and Content-Disposition headers are set to download arbitrary binary files in as many browsers as possible. IE versions 4, 5, 5.5, and 6 are all known to have a variety of quirks (especially when downloading over SSL).

Simple download:

send_file '/path/'

Show a JPEG in the browser:

send_file '/path/to.jpeg', type: 'image/jpeg', disposition: 'inline'

Show a 404 page in the browser:

send_file '/path/to/404.html', type: 'text/html; charset=utf-8', disposition: 'inline', status: 404

You can use other Content-* HTTP headers to provide additional information to the client. See MDN for a list of HTTP headers.

Also be aware that the document may be cached by proxies and browsers. The Pragma and Cache-Control headers declare how the file may be cached by intermediaries. They default to require clients to validate with the server before releasing cached responses. See for an overview of web caching and RFC 9111 for the Cache-Control header spec.

Show source
Register or log in to add new notes.