Let's assume we have a shared host. The web root is located in /home/username/www/. Now, I have a PHP application which reads a configuration file, located at /home/username/www/include/config.json. This configuration file stores passwords and other configuration information. Assuming that access to /home/username/ or any directory outside the web root is not possible, how would I go about securing config.json from people directly GETting it?
If storing configuration information in a plaintext file is not feasible, please advise on other ways to do so.
There are two ways for secure your directory structure and prevent reading other files and content in your directory.
Disable directory content listing
Using htaccess
Putting the following the .htaccess file shall disable directory listing.
Options -Indexes
Using index.html
If the server does not allow this, then the easiest way is to put a dummy index.html file in all directories.
So that when directory path is accessed, the index.html will open up.
Keep resources outside WEB_ROOT
When hosting applications on a server , the path is generally like this :
/var/www/
OR
/home/username/www/
All web content is kept inside www , then only it is accessible on a website. But those contents which are not meant to be directly accessible from a url , can be kept outside the /www.
For example uploaded images , or resource files , or files containing database connection parameters or anything.
php files to be called by browser in
/var/www/
Other resource files in
/var/outside/
By doing this the files automatically become invisible to outside world even if directory listing is enabled.
You need a .htaccess file in your include directory that will make it unavailable from outside:
Options -Indexes
Order allow,deny
Deny from all
or for apache 2.4
Options -Indexes
Require all denied
Another solution would be to move the include to /home/username/include
Related
So I am creating a template system that is the same across multiple sites, the only thing that changed is the configuration file. I am making so all the files are getting fetched from the root directory. I can do it with all my php and html files, but I can't see to figure it out on my .htaccess file. How the directory is set up is /home/user_name/template and then there are also folders like /home/user_name/site1.com and all off the sites. So how can I make all of the site use the same .htaccess file. I hope that makes sense!
According to Wikipedia
A .htaccess (hypertext access) file is a directory-level configuration file supported by several web servers, that allows for decentralized management of web server configuration. They are placed inside the web tree, and are able to override a subset of the server's global configuration for the directory that they are in, and all sub-directories
From Oracle-Docs :
If you enable .htaccess files, the server checks for .htaccess files before serving resources. The server looks for .htaccess files in the same directory as the resource and in that directory's parent directories, up to and including the document root.
For example,
if the Primary Document Directory is set to /oracle/server/docs
and a
client requests /oracle/server/docs/reports/index.html,
the server will check for :
.htaccess files at /oracle/server/docs/reports/.htaccess and /oracle/server/docs/.htaccess.
suppose you have 2 sites and you want to setup .htaccess for both your both sites using a single file
then just create the file structure like following
parent
site1
site2
.htaccess
Here upload all data of site1 into the site1 folder and so on.
If the server is a linux/posix system, you can create a symbolic link to the root .htaccess file.
This should be something like
cd /home/user_name/site1.com
ln -s ../template/.htaccess .
Beware the file permissions, so only you can write to it.
Many people Make their website backup.zip on their hosting server,
A zip file are place on same directory where Index.php exists.
So if i use this link my backup will download http://www.example.com/backup.zip
If I don't share my backup filename/link, is it safe from hackers or robots?
Is there any function that give my all files and directory name?
How to secure backup.zip file on hosting server?
I post this question here because I think Developers know best about
Hacking / robots attack / get directory / get files from another server
There is many way to protect your files from the eyes of internet.
The simplest one is to have a index.html, index.html, or index.php file, into the directory who contain your backup.zip, but the file still can be acceded if someone guess his name and call it from his URL like this: www.example.com/backup.zip
To avoid this issue: most of the webservers provide a way to protect your file. If we assume you are under Apache2 you must create a rule into a .htaccess file (who is located into the same directory of your file) to prevent people from accessing your backup.zip.
e.g:
<Files backup.zip>
Order allow,deny
Deny from all
</Files>
if you are not under Apache2, you could find the answer by checking the documentation of your HTTP server.
Your file is not safe as it is, as /backup.zip is the most obvious path that hackers can guess.
So to protect the zip file from unauthorised access, move it to the separate folder and create .htaccess with the following content:
Deny from all
# Turn off all options we don't need.
Options None
Options +FollowSymLinks
To make this work, your Apache needs to use mod_rewrite with option AllowOverride All for that folder to allow the .htaccess file to be run (which usually it is configured by default).
I am using codeigniter and have put the assets folder in the root of the application that contains a .htaccess file having the content
Deny from all
This is causing problems when I want to connect to the assets folder to get the stylesheets etc. So my question here is is there any way that I can allow the access just to that assets folder, that I have?
I have never used .htacces files so have a very basic knowlege of it. I did some research on my own as well but I wasn't able to find the solution.
In your assets directory add another .htaccess file with the following:
# /assets/.htaccess
Allow from all
And I am assuming in your root directory you have the following (which you will leave):
# /.htaccess
Deny from all
Update: Based on your comment, what you are looking to do is not really possible. The browser needs to have access to your CSS file in order to use it on your page.
Is it possible to hide a folder from the www directory so that the php files will not be seen if you access it through a web browser?
I'm doing this because I'm not yet good enough to secure those files and the mysql database that they are manipulating.
Or even a trick that would make the web browser not to be able to access the localhost is fine. Please
If you have a directory and you don't want Apache being able to serve any file that's in it, you can create a .htaccess file in that directory, containing :
Deny from all
This will make sure Apache refuses serving any file from that directory -- but they will still be accessible by PHP scripts running from another directory or from the command-line.
If you want Apache to be able to serve the files, but not list the content of the directory when a user accesses that directory without any filename in the URL, you can use this in your .htaccess file :
Options -Indexes
This will disable listing of files inside the directory that contains the .htaccess file -- but will not prevent Apache from serving the files themselves.
Just put the files outside of the document root and include them from there.
A very simple trick if you don't have Apache, hence no access to .htaccess (that sounds like I'm repeating myself), just create a file index.htm or index.html containing NOTHING. Any attempt to access that folder will just show a blank page.
I have a WordPress installation. I would like to have one folder in the file structure where the url will show you the files and folders and allow you to browse and download from there.
Can it be done?
Seth
You need to make a separate .htaccess file for the directory you want to be viewable. Be careful that directories deeper than the one you are in as .htaccess works downstream/cascades.
More info via: http://www.wise-women.org/tutorials/htaccess/
Allow directory browsing
There may be times when you want or need to allow visitors to browse a directory. For example, you may need to allow access to files in a directory for downloading purposes on a server that is configured to not allow it.
Many servers are configured so that visitors cannot browse directories. In that case visitors will not see the contents of the directory but will instead get an error message.
You can override the servers settings and allow directory browsing with this line:
Options +Indexes
Use an appropriate Location or Directory section and put inside it:
Options +Indexes