How do I prevent access to a given directory ? Here is the structure of my website :
config.php
.htaccess
classes/
|----lib/
| |----...
|----classes.php
webroot/
|----index.php
|----ctrl/
| |----...
|----pages/
| |----...
|----style/
|----...
The DocumentRoot is webroot. I want to prohibit access to the following folders : ctrl, pages, style. But the files stored in these folders still have to be available to be included in the index.php file.
In other words, there is an index.php file. Its role is to call (include) all the necessary files from pages/, ... The users can load index.php from their browser but they cannot access the other files alone.
I wrote this code is a .htaccess file but it doesn't do anything :
deny from all
<Files webroot/index.php>
allow from all
</Files>
This .htaccess file is located at the root folder for my project (before webroot/). What I try to do here is to deny access to every directory and files in the project except for the main index.php file.
What is it not working ? What went wrong ?
Thank you in advance.
I solved the problem. First of all, I had to activate .htaccess files in my httpd.conf file. Then I wrote this in my .htaccess :
<Files webroot/pages>
deny from all
</Files>
<Files webroot/style>
deny from all
</Files>
Do you want to prevent people list files in your webroot?
If so, you can add the following option in your htaccess file:
Options -Indexes
Related
I'm trying to hide all the php and some html file in my server folder only by direct call from url... particularly i need to hide the register.html (this file is for users registration), and other php file.. (these php files contain sensitive data for database connection). How can i do this?? Thanks for any help ;)
Create/edit the .htaccess file in the directory where the files are located.
For denying all direct access to all files in the directory, add this:
Deny from all
For restricting only a specific file:
<Files "register.html">
Order Allow,Deny
Deny from all
</Files>
For restricting specific file types, you need to edit the .htaccess file in the webroot folder. This rule will deny access to all .php and .html files in myFolder and its subdirectories.:
RewriteRule ^myFolder/.*\.(php|html)$ - [F,L,NC]
More examples on denying access to file types: https://stackoverflow.com/a/20489058/6817376
You can use this for register.html:
<Files "register.html">
Order Allow,Deny
Deny from all
</Files>
and in the same way for other files.
In my application is possible to create a directory, and the user can store files inside that folders. So suppose that I have the following structure:
/public_html
/app
/assets
/documents
/folder_name
-list of files
My goal is to prevent that the user types as URL:
https://myapp.com/assets/documents
or
https://myapp.com/assets/documents/folder_name
and see all the files or directories available in there, is there a way to prevent this via .htaccess?
If you want to simply prevent the directory listing, you can put:
Options -Indexes
inside an .htaccess file in the root directory of your assets. Your vhost/server configuration must have the AllowOverride Options set for this to work though.
If you wish to prevent the files from being accessed you could use the <Files directory which is allowed inside an .htaccess file, but the better solution would be to simply move that directory out of the public root.
Put .htaccess in that folder, and add
Deny from all within
Or if you want to apply the directive dynamically to folder (in case you have access to Apache configuration):
<DirectoryMatch "^/public_html/app/assets/documents/(.+)/" >
Order Allow,Deny
Deny from all
</DirectoryMatch>
or within the folder_name:
<DirectoryMatch "^/public_html/app/assets/documents/folder_name(.+)/" >
Order Allow,Deny
Deny from all
</DirectoryMatch>
One of the approaches is to generate blank index.php within a folder.
I'm trying to hide all the php and some html file in my server folder only by direct call from url... particularly i need to hide the register.html (this file is for users registration), and other php file.. (these php files contain sensitive data for database connection). How can i do this?? Thanks for any help ;)
Create/edit the .htaccess file in the directory where the files are located.
For denying all direct access to all files in the directory, add this:
Deny from all
For restricting only a specific file:
<Files "register.html">
Order Allow,Deny
Deny from all
</Files>
For restricting specific file types, you need to edit the .htaccess file in the webroot folder. This rule will deny access to all .php and .html files in myFolder and its subdirectories.:
RewriteRule ^myFolder/.*\.(php|html)$ - [F,L,NC]
More examples on denying access to file types: https://stackoverflow.com/a/20489058/6817376
You can use this for register.html:
<Files "register.html">
Order Allow,Deny
Deny from all
</Files>
and in the same way for other files.
I am using Laravel 5.1
I recently uploaded my project in shared hosting. but when i browse http://siteAddress.com/local/.env my .env file is visible.
Is there any way to hide this file or redirect people if they want browse the site with folder view?
Finally I hide .env and disable index view of the folder named local. I create a .htaccess in folder local.
And here is the code of .htaccess
# Disable index view
Options -Indexes
# Hide a specific file
<Files .env>
Order allow,deny
Deny from all
</Files>
Please create a .htaccess file where you have .env file and write the code as shown below:
# STRONG HTACCESS PROTECTION
<Files ~ "^.*\.([Ee][Nn][Vv])">
order allow,deny
deny from all
satisfy all
</Files>
Then try to hit the .env file from url and it will not be available and show codes inside.
If you want to remove it from github.
Please create new file .gitignore on the same directory.
and add line
.env
You can add below code in .htaccess file to disable directory listing and restrict access of .env file:
# Disable Directory listing
Options -Indexes
# block files which needs to be hidden, specify .example extension of the file
<Files ~ "\.(env|json|config.js|md|gitignore|gitattributes|lock)$">
Order allow,deny
Deny from all
</Files>
The .env file resides outside the public folder so it should not be visible from outside world if the server is configured to see the public folder as document root.
From the best answer:
Remember that once your server is configured to see the public folder
as the document root, no one can view the files that one level down
that folder, which means that your .env file is already protected, as
well your entire application. - That is the reason the public folder
is there, security. - The only directories that you can see in your
browser if you set the document root to the public folder is the
folders that are there, like the styles and scripts.
https://laracasts.com/discuss/channels/general-discussion/how-do-you-protect-env-file-from-public
Check the folder structure on your hosting and make sure the public folder is the document root.
I'm attempting to deny access to anyone surfing for PHP files in a specific directory:
example.com/inc/
I've created an example.com/inc/.htaccess file with the contents:
Order deny,allow
Deny from all
This results in a 403 Forbidden response when I try to access one of the files. For example: example.com/inc/file.php
The problem is, my web server is also denied access and my application stops working.
How can I deny access to people surfing for such PHP files but allow my shared web server access?
Note: I'm using GoDaddy shared hosting.
I would would just use a rule and block the access that is entered by the user. This will block any php file that is entered.
RewriteEngine On
RewriteRule ^.*\.php$ - [F,L,NC]
Edit based on your comment. Try this way.
<Files (file|class)\.php>
order allow,deny
deny from all
allow from 127.0.0.1
allow from 192.168.0.1
</Files>
Replace 192.168.0.1 with your server IP address.
Use proper directory structure put your files to lib/ directory for example and include them from file which is not present in this directory. This is how common frameworks works.
You can even map your url to web/ directory and put lib one directory up then you are sure that there is no access to your .php file but only index.php and assets.
You can read how it is solved for example in Symfony2 http://symfony.com/doc/current/quick_tour/the_architecture.html it'll give you some clues.
To block navigation access to all files ending in .php you can use:
RedirectMatch 403 ^.*\.php$
To only deny access to php files you can use this:
<Files *.php>
order allow,deny
deny from all
</Files>