So I've my images folder, and I protect it with a index.php file with no text or anything. So they can't browse the images. But is this enough as security? I've tried to disable the url with php but without any success. Is there another way of doing this?
One easy way to prevent the directory content from being displayed is to disable directory listing.
Don't place an index file in the directory you like to prevent from public access. Create a .htaccess file add Options -Indexes to it. This would cause a http 403 error when you point to the directory.
Related
I am working on a CI Application.
Now I Have a folder in my project called base_ini, in which I have some config files. I want to secure this file, so no can can view its content directly from browser.
So I tried this two ways:
Put an index.html saying that Directory access is forbidden.
I put a .htaccess file in that folder with Deny from all
If I pass this in URl : www.example.com/base_ini I do get proper error message.
But still if from browser I pass this path www.example.com/base_ini/default.ini then I can view its content.
How can I stop this access?
Put below line in your htaccess file and put that file at www.example.com/base_ini/ (path)
Options -Indexes
Ok so my current sites is on the .htaccess method to block user access to the directory
e.g. http://www.example/_directory/ via Options All -Indexes
Question should I stick with that or is putting an index file e.g. index.php in every directory better? I'm thinking of an index.php that will redirect to the homepage rather than giving users an error 403 page.
Opinions?
It would be clever to build your web site in a way that these subdirectories also have content (e.g. about/ also shows some information, when about/history/ and about/our-company/).
If the directories contain only files, it's IMHO totally fine to just have a 403.
Answers to your questions might be very biased.
If you're on a Unix/Linux server, you don't need to have blank index files at all in your directories. Just create a .htaccess file and put the following code in it:
Code:
Options -Indexes
When anyone tries to access the contents of a directory that doesn't have an index file, they'll get a 403 error.
Ref : http://wildlifedamage.unl.edu/manual/mod/core.html#options
My website deals with images. Whenever a user uploads an image it will be stored in "imagefiles" folder, but the problem is users can see all the images of that folder on web through http. To prevent it I made changes to .htaccess of the folder to be forbidden, but by doing that I am unable to read the images to show it on webpage myself.
So how can I make this folder such that only I can use to read it and when users try to access it through http it should say forbidden?
You could disable the index for that folder, by creating a dummy index.html page, or disabling the default index in your .htaccess with:
<Directory /path/to/image/folder>
Options -Indexes
</Directory>
That will stop people from browsing a directory listing of all images, but not stop them from accessing images directly.
If you want more fine control you should Rewrite all requests to that folder to a PHP script which will check the $_REQUEST['REQUEST_URI'] to determine what image they were trying to load, then if they are allowed to view it by whatever logic you choose, you send out the appropriate headers for the type of image it is, and readfile('/path/to/image');
Probably the most flexible way to do what you want is to get the folder with images out of reach of webserver. Then show them on your page via readfile() (as Paulpro mentioned). There is nice example of how to do that in php manual:
http://www.php.net/manual/en/function.readfile.php
Using this way you will be able very easily control users access to images on your website.
Or you can use mod_rewrite to disable access to directory listing as:
RewriteEngine On
RewriteBase /
RewriteRule ^imagefiles/?$ - [F,L,NC]
Apologies if my question is unclear, but I'm not quite up with the jargon. By 'resource directories' I mean my css, php scripts, images, javascript ect.
I used an .htaccess file in my images directory that contained
deny from all
to do this. Though this prevented people from typing "www.example.com/images" into their browser and accessing my images directory, the images stopped appearing on my website.
I assume this is because the .htaccess file is even denying my source code from accessing the images. How can I let my source code access directories? I also have a cron job running a php script every night. The cron job also needs to be allowed to access the scripts directory.
Also, is using .htaccess files even the best way to secure a site?
To prevent someone to view your images directory, you need to disallow Directory Listing.
http://viralpatel.net/blogs/htaccess-directory-listing-enable-disable-allow-deny-prevent-htaccess-directory-listing/
You cannot use deny from all, because nothing can be loaded from that directory from a web browser, so your images which you load with on your website won't load either.
Options -Indexes will disallow people to list files in your images directory. Please see http://viralpatel.net/blogs/htaccess-directory-listing-enable-disable-allow-deny-prevent-htaccess-directory-listing/
For securing data from being viewed by people who shouldn't you can use a authentication. You can setup a login field with htaccess, or script one with, for example PHP or python.
Login script with htaccess:
Script:
http://www.htaccesstools.com/htpasswd-generator/
Password file:
http://www.htaccesstools.com/htaccess-authentication/
You can prevent from accessing any directory you want:
Add this snippet in your httpd.conf file (you can find httpd.conf file here C:\wamp\bin\apache\apache2.4.9\bin)
<Directory "c:/wamp/www/directory_A/">
Options -Indexes
</Directory>
In this case you can access www directory but can't inside directory_A.
or
<Directory "c:/wamp/www/directory_A/uploads/">
Options -Indexes
</Directory>
In this case you can access 'directory_A/' directory but can't inside 'uploads/'.
Could access to files like df9dfglh_56_ghf.mp3 in /www/pub/ prevented with an empty index.html file? (but giving access via index.php with login to a database that then links to that file name)?
UPDATE: but I would rather NOT restrict access to the directory, if I want to play the file in my own 'cloud player'... (bit like the youtube category: only people with the link can see the file)
The bottom line: I want minimise server traffic, or copyright problems (if those files became publically accessible)
For preventing access from a certain file or even for a certain type of file, you can use the .htaccess, which is an apache configuration file that provide some ways to make configuration changes on a per-directory basis. And then append to it the following line
<Files ~ "\.mp3$">
Order allow,deny
Deny from all
</Files>
For your specific case, you can even use it this way:
<Files "df9dfglh_56_ghf.mp3$">
Order allow,deny
Deny from all
</Files>
If you wish only that the file is not listed on the index you can use this very same file to do what #Ynhockey said and issue the configuration:
Options -Indexes
I hope it helped. Cheers
if you set inside your data folder empty
index.html
When user browse ..
http://yoursite/data/
he will see empty page and he wont see your mp3 file...
But if he goes to
http://yoursite/data/yourmp3name.mp3
he will open your mp3..
By simply having an index.html or index.php, you would only be disabling directory listing. People will still be able to access any files inside that directory though if they have the direct URL to it.
If you would like to block access to specific files, you will need explicitly restrict access to those files. Here is a good resources to get started with that.
An empty index file can prevent a directory listing from showing, but it does not prevent direct access to files. This can also be done by putting the following line into your .htaccess file:
Options -Indexes
I think what you are referring to is Apache's directory-listing when there is a directory without an index. Yes, an empty index will hide this listing but no, it will no prevent access to files if the path is known. If this "share link to authorised persons only"-policy is secure enough for you then fair enough. If you want anything more secure you should consider using mod_auth or something similar og limit access by only allowing access to a .php file or something similar that provides access to only the authorised users.
in principle yes it will disable the file listing, but if the user knows the exact path, then he will be able to view/download the given file.
an effective way of doing, what i believe you are trying to do , is to put the files in a dir that is not visible by web, and then serve the files via php. then the link will be smth like,
domain.com/getfile.php?fileindetification=thefile then in getfile.php you can authenticate the user and then serve him the file, you can do even more, you can make the currentlink, be valid only for a short period of time.
it will be better to keep the file out of the web root folder so that no one outside get access to the file.