--- JUST REALIZED ---
It's a 3 months old post, someone decided to format a 3 months old post
----------------------
Let me give you several option to handle this
1. Handle through Apache
You can simply deny any request that is not coming loclhost or 127.0.0.1
RewriteEngine On
RewriteCond %{HTTP_HOST} !^localhost [NC]
RewriteCond %{REMOTE_ADDR} !^127\.0\.0\.1$
RewriteRule ^/super_secret_image_path/?(.*) [R=404,L]
2. Handle through Apache, additional layer, using reverse proxy. Run your main php application with different port. And only localhost or internal network would be allowed to access and you browse your application when you have to access from localhost using extra port
3. Through PHP with Apache. Write a directory directive to deny all
<Directory "/var/web/your_precious_image_directory">
Require all denied
</Directory>
With PHP create a rule that will translate download request to actual path and write the file content with proper header.
$filepath = transalte_special_image_path($_GET["img"], $_GET["img"]);
if(file_exists($filepath)) {
header('Content-Description: File Transfer');
header('Content-Type: ' . get_actual_content_type($file_path));
header('Content-Disposition: attachment; filename="'.basename($filepath).'"');
header('Expires: 0');
header('Cache-Control: must-revalidate');
header('Pragma: public');
header('Content-Length: ' . filesize($filepath));
flush();
readfile($filepath);
exit;
}