How To Create a Download Link

An HTML download link is a hyperlink that allows users to download a file from a website. When a user clicks on a download link, the file specified in the link is downloaded to their device. Download links can be used to distribute a wide range of files, including documents, images, audio files, videos, and software.

HTML Download Link

To create an HTML download link, you need to use the a (anchor) element and set the href attribute to the URL of the file you want to download. You can also specify the text that appears on the link by adding text between the opening and closing a tags.

Following is an example of an HTML download link for a PDF document:

<a href="" download>Download PDF</a>

In the above example, the href attribute points to the URL of the PDF document, and the download attribute tells the browser to download the file instead of opening it in the browser.

You can also customize the appearance of the download link using CSS styles, just like any other HTML element. For example, you could add a background color or change the font size of the link text.

The "download" attribute can also be used to specify a different filename for the downloaded file, as shown in the example below:

<a href="" download="my_document.pdf">Download My Document</a>

In the above example, the downloaded file will be saved as "my_document.pdf" instead of "document.pdf". The text "Download My Document" is displayed as the link text.

Note that the "download" attribute is not supported by all browsers, particularly older ones. In these cases, clicking on the download link will simply open the file in the browser window. To ensure that the download prompt appears in all browsers, it is recommended to also include the "target" attribute with the value "_blank", as shown below:

<a href="" download target="_blank">Download Document</a>

This will open the download prompt in a new browser window, even if the "download" attribute is not supported.

Types of files downloaded using an HTML download link

HTML download links can be used to link to any type of file that can be downloaded, including documents, images, videos, audio files, compressed files, and more.

Some examples of file types that can be linked to with an HTML download link include:

PDF files:

<a href="" download>Download PDF</a>

Image files (e.g. JPEG, PNG, GIF):

<a href="" download>Download Image</a>

Video files (e.g. MP4, AVI, MOV):

<a href="" download>Download Video</a>

Audio files (e.g. MP3, WAV):

<a href="" download>Download Song</a>

Compressed files (e.g. ZIP, RAR):

<a href="" download>Download Archive</a>

File Location

When linking to a file with an HTML download link, it is important to ensure that the file is hosted on a server that supports direct downloads. For example, some cloud storage services may not allow direct downloads of files, requiring users to navigate through a web interface to access the file. In these cases, the download link will not work as expected.

File Size

Consider the file size and download speed when linking to large files, as users with slower internet connections may experience long download times or timeouts. Providing a file size next to the download link can help users gauge the download time before initiating the download.

Add a file size to an HTML download link

To add a file size next to an HTML download link, you can use JavaScript to dynamically calculate the file size and display it in the link text.

<a href="" download id="download-link">Download Document</a> <script> var link = document.getElementById("download-link"); var url = link.getAttribute("href"); var xhr = new XMLHttpRequest();"HEAD", url, true); xhr.onreadystatechange = function() { if (xhr.readyState == xhr.DONE) { if (xhr.status == 200) { var size = xhr.getResponseHeader("Content-Length"); size = Math.round(size / 1024); // Convert bytes to kilobytes link.innerHTML += " (" + size + " KB)"; } } }; xhr.send(); </script>

In the above example, add an id attribute to the download link (id="download-link") so that it can reference this JavaScript code. Then create a new XMLHttpRequest object to send a HEAD request to the URL specified in the href attribute of the download link.

When the XMLHttpRequest object receives a response, check the Content-Length header to get the size of the file in bytes. Then convert the size to kilobytes and append it to the link text using JavaScript (link.innerHTML += " (" + size + " KB)";).

This method requires JavaScript, so users who have disabled JavaScript in their browsers will not see the file size displayed next to the download link. Additionally, some servers may not return the Content-Length header, in which case the file size will not be displayed.

HTML download link open in a new tab or window

To make an HTML download link open in a new tab or window, you can add the target attribute with the value _blank to the link.

<a href="" download target="_blank">Download Document</a>

In the example, add the target attribute with the value _blank to the download link. This tells the browser to open the link in a new tab or window when the user clicks on it.

Note that some browsers may block the new tab or window from opening if it is triggered by a user action, such as clicking on a link. To avoid this, you can use JavaScript to open the link in a new tab or window.

<a href="" download onclick=", '_blank'); return false;">Download Document</a>

In the above example, use the onclick attribute to call a JavaScript function that opens the link in a new tab or window using the method. The return false; statement at the end of the function prevents the default behavior of the link, which would be to navigate to the specified URL in the current tab or window.

Opening links in new tabs or windows can be a usability issue for some users, especially those with certain disabilities or using assistive technologies. Therefore, it is recommended to use this feature sparingly and only when it is necessary for the user experience.

Add a password or authentication to an HTML download link

To add password or other authentication to an HTML download link, you can create a server-side script that requires users to authenticate before allowing them to download the file. Here's an example:

Create a PHP script that checks for authentication:

<?php $valid_user = "username"; // Replace with your valid username $valid_pass = "password"; // Replace with your valid password if (!isset($_SERVER['PHP_AUTH_USER']) !isset($_SERVER['PHP_AUTH_PW']) ($_SERVER['PHP_AUTH_USER'] != $valid_user) ($_SERVER['PHP_AUTH_PW'] != $valid_pass)) { header('WWW-Authenticate: Basic realm="Restricted Area"'); header('HTTP/1.0 401 Unauthorized'); echo 'Authentication required'; exit; } ?>

In the above script, define a valid username and password, and check whether the PHP_AUTH_USER and PHP_AUTH_PW server variables match these values. If they don't match, send a 401 Unauthorized header and prompt the user to authenticate using the WWW-Authenticate header.

Use the PHP script to serve the file:

<a href="download.php?file=document.pdf" download>Download Document</a>

In this HTML code, link to the PHP script (download.php) and pass the name of the file want to download as a parameter (file=document.pdf).

Modify the PHP script to serve the file:

<?php $valid_user = "username"; // Replace with your valid username $valid_pass = "password"; // Replace with your valid password if (!isset($_SERVER['PHP_AUTH_USER']) !isset($_SERVER['PHP_AUTH_PW']) ($_SERVER['PHP_AUTH_USER'] != $valid_user) ($_SERVER['PHP_AUTH_PW'] != $valid_pass)) { header('WWW-Authenticate: Basic realm="Restricted Area"'); header('HTTP/1.0 401 Unauthorized'); echo 'Authentication required'; exit; } $file = $_GET['file']; $path = 'files/' . $file; // Replace with your file path if (!file_exists($path)) { header('HTTP/1.0 404 Not Found'); echo 'File not found'; exit; } header('Content-Description: File Transfer'); header('Content-Type: application/octet-stream'); header('Content-Disposition: attachment; filename=' . basename($path)); header('Content-Transfer-Encoding: binary'); header('Expires: 0'); header('Cache-Control: must-revalidate'); header('Pragma: public'); header('Content-Length: ' . filesize($path)); ob_clean(); flush(); readfile($path); exit; ?>

In this modified PHP script, check for authentication as before, but now serve the file using the readfile() function. Set the appropriate headers to ensure that the file is downloaded as an attachment rather than displayed in the browser window.

This is just one example of how to add authentication to an HTML download link. The exact method will depend on your server configuration and the programming language you use for the server-side script. Additionally, you should ensure that any authentication system you implement is secure and does not expose sensitive information to unauthorized users.

Security concerns with HTML download links

There are security concerns with HTML download links that you should be aware of.

  1. Malicious files: HTML download links can be used to distribute malicious files such as viruses, malware, or ransomware. As a result, users may be wary of downloading files from unknown sources or clicking on suspicious download links.
  2. Spoofed links: Attackers can create spoofed download links that appear to be legitimate but actually lead to malicious websites or files. These links may be disguised using social engineering techniques such as fake logos, names, or branding.
  3. Phishing: HTML download links can be used to launch phishing attacks by tricking users into downloading fake or malicious files. For example, an attacker might create a fake download link that appears to be for a legitimate software update but actually installs malware on the user's computer.
  4. Cross-site scripting (XSS): HTML download links can be vulnerable to cross-site scripting attacks, where an attacker injects malicious code into a web page that is then executed in the user's browser. This can lead to the user unknowingly downloading a malicious file or being redirected to a spoofed website.

To mitigate these security concerns, here are some best practices for HTML download links:

  1. Use HTTPS: Use HTTPS to encrypt the connection between the user's browser and the server, preventing attackers from intercepting or tampering with the download link.
  2. Scan files for malware: Scan all files for malware before making them available for download to ensure that they are safe.
  3. Provide clear and accurate descriptions: Provide clear and accurate descriptions of the files being downloaded so that users can make informed decisions about whether to download them.
  4. Use trusted sources: Only link to files from trusted sources, such as reputable websites or official software providers.
  5. Use file extensions: Use file extensions to indicate the type of file being downloaded, such as .pdf, .docx, or .exe. This can help users avoid downloading files that could potentially harm their computer.
  6. Implement access controls: Implement access controls to restrict who can download files from your website, such as requiring authentication or only allowing downloads from certain IP addresses.


There are some security concerns with HTML download links. Malicious actors may use download links to distribute malware or other harmful files, so it's important to only download files from trusted sources. Additionally, you should always scan downloaded files with antivirus software before opening them on your device.