I have the following folder structure:
+users
-adduser.php
-viewuser.php
When a visitor navigates to example.com/users it's showing the folder structure. I need to restrict visitors ability to see the file listing, either by hiding it or removing it. How can I do that in php?
If you don't want to (or can't) deal with Apache configuration, create an empty file named index.html (or index.php if you prefer) in your users folder.
You can create a .htaccess file on root folder with following;
RewriteEngine on
Redirect 301 /users http://www.example.com/404.html
Then you just need to create 404.html in your website and change example.com with your domain.
Now your /users path will redirect to 404.html.
You can add the following to your Apache virtual host file:
<Directory "path_to_folder">
Options -Indexes
</Directory>
The above rule will disallow directory listing. It was suggested in this post: Using .htaccess, prevent users from accessing resource directories, and yet allow the sourcecode access resources
Related
I don't want the user to see the sub directory structures. So I am thinking of redirecting the user to the homepage whenever they try to access that.
you can just put .htaccess file with Options -Indexes in it in root directory.
How do I disable directory browsing?
My Directory structure is like this.
Root
|
assets
|-js
|-css
|-img
action
|a.php
|-b.php
include
|-inc1.php
|-inc2.php
I'm using Option Options -Indexes in .htaccess file but i have to put this file in every directory. Is there a way i can use only one hraccess file and put rule on directories? Also i wanted to know .If i use htaccess will it stop my php file from accessing the resources from these directories?
Drupal uses this in the root directory to prevent client access to some files. "profile" and "module" are directories. [Correction: profile and module are directories, but in the Drupal expression below it is checked as an extension.]
# Protect files and directories from prying eyes.
<FilesMatch "\.(engine|inc|info|install|make|module|profile|test|po|sh|.*sql|theme|tpl(\.php)?|xtmpl|svn-base)$|^(code-style\.pl|Entries.*|Repository|Root|Tag|Template|all-wcprops|entries|format|LICENSE.txt)$">
Order allow,deny
</FilesMatch>
For you you'd want to change the matching rule to something like this:
<FilesMatch "^(assets|action|include)$">
It's normal to use just one .htacces file in the root directory. If you want to apply rules to particular directories without adding another .htaccess file, you may be able to apply rules based on the url if the url maps with the folders. It would be easier to help you if you provided a concrete example
Ok so my current sites is on the .htaccess method to block user access to the directory
e.g. http://www.example/_directory/ via Options All -Indexes
Question should I stick with that or is putting an index file e.g. index.php in every directory better? I'm thinking of an index.php that will redirect to the homepage rather than giving users an error 403 page.
Opinions?
It would be clever to build your web site in a way that these subdirectories also have content (e.g. about/ also shows some information, when about/history/ and about/our-company/).
If the directories contain only files, it's IMHO totally fine to just have a 403.
Answers to your questions might be very biased.
If you're on a Unix/Linux server, you don't need to have blank index files at all in your directories. Just create a .htaccess file and put the following code in it:
Code:
Options -Indexes
When anyone tries to access the contents of a directory that doesn't have an index file, they'll get a 403 error.
Ref : http://wildlifedamage.unl.edu/manual/mod/core.html#options
I am using codeigniter and have put the assets folder in the root of the application that contains a .htaccess file having the content
Deny from all
This is causing problems when I want to connect to the assets folder to get the stylesheets etc. So my question here is is there any way that I can allow the access just to that assets folder, that I have?
I have never used .htacces files so have a very basic knowlege of it. I did some research on my own as well but I wasn't able to find the solution.
In your assets directory add another .htaccess file with the following:
# /assets/.htaccess
Allow from all
And I am assuming in your root directory you have the following (which you will leave):
# /.htaccess
Deny from all
Update: Based on your comment, what you are looking to do is not really possible. The browser needs to have access to your CSS file in order to use it on your page.
I am building a website on localhost for now. My files are in the www folder.
Directly inside www, I have the index.php and more php pages.
I have also some folder like pictures/ which contains pictures submitted by users; css/ with all the css files; js/ width all the js files and includes/ with some PHP files
My problem is that when I input in the browser localhost/pictures, I see the list of all my pictures. Same thing for localhost/css , localhsot/js or localhost/includes. You have the list of all my file. and it means it could be easy for a robot to download all my files , except the PHP files (which, for some reason, are not downloaded properly : PHP code is not accessible).
Is there a way to prevent access to the main directory for the users ? I thought about writing an index.php file inside www/pictures that redirects to the index.php of www. I don't know anything about best practice in term of structure/organization of folder for a website.
Thanks
Sol 1 :
you can put a .htaccess file in that folder that contains just:
deny from all
That way you cannot open any file from that folder, but you can include them in php without any problems.
Sol 2 :
# disable directory browsing
Options All -Indexes
You can force Apache to show a forbidden message when someone tries to browse your indexes by placing a .htaccess file inside all of the directories you wish to prevent browsing.
Inside your .htaccess, add the following:
# disable directory browsing
Options All -Indexes
Similarly, you can create a robots.txt file inside your web root, and add the following:
User-agent: *
Disallow: /pictures/
Disallow: /css/
Disallow: /js/
Disallow: /includes/
You should of course be aware of the SEO implications of prevent robot access to your images.
Add below code to your .htaccess to your main project folder
# disable directory browsing
Options All -Indexes
Put user specific data in a folder outside of your web root.