With these files in place, and given you had a static file at assets/protected/hello.txt
with the words 'hello world' in it, and another file at assets/robots.txt
, you could do sails lift
and do a GET on http://localhost:1337/robots.txt and have the file returned normally, but do a GET on http://localhost:1337/protected/hello.txt and you would get 'you are not allowed!'.
You can extend this example to do things like HTTP basic authentication, filtering based on origin, etc.
This gist is inspired by this stackoverflow link