okay got it, thank you. since in the installation, i'd like to stick to plain urls, how could i protect it easiest?
Edit: Okay I fiddled around a bit, but was unable to solve the problem.
I tried to use .htacess and check against the session cookie:
RewriteCond %{REQUEST_FILENAME} (.*)
RewriteCond %{HTTP_COOKIE} !flarum_session [NC]
RewriteRule ^assets/files/.* - [F,L]
Problem is, the session_cookie won't get deleted after logout. And someone could just insert the cookie manually without a valid value.
any hints on how to solve this?