I am using Laravel 5.1
I recently uploaded my project in shared hosting. but when i browse http://siteAddress.com/local/.env my .env file is visible.
Is there any way to hide this file or redirect people if they want browse the site with folder view?
Finally I hide .env and disable index view of the folder named local. I create a .htaccess in folder local.
And here is the code of .htaccess
# Disable index view
Options -Indexes
# Hide a specific file
<Files .env>
Order allow,deny
Deny from all
</Files>
Please create a .htaccess file where you have .env file and write the code as shown below:
# STRONG HTACCESS PROTECTION
<Files ~ "^.*\.([Ee][Nn][Vv])">
order allow,deny
deny from all
satisfy all
</Files>
Then try to hit the .env file from url and it will not be available and show codes inside.
If you want to remove it from github.
Please create new file .gitignore on the same directory.
and add line
.env
You can add below code in .htaccess file to disable directory listing and restrict access of .env file:
# Disable Directory listing
Options -Indexes
# block files which needs to be hidden, specify .example extension of the file
<Files ~ "\.(env|json|config.js|md|gitignore|gitattributes|lock)$">
Order allow,deny
Deny from all
</Files>
The .env file resides outside the public folder so it should not be visible from outside world if the server is configured to see the public folder as document root.
From the best answer:
Remember that once your server is configured to see the public folder
as the document root, no one can view the files that one level down
that folder, which means that your .env file is already protected, as
well your entire application. - That is the reason the public folder
is there, security. - The only directories that you can see in your
browser if you set the document root to the public folder is the
folders that are there, like the styles and scripts.
https://laracasts.com/discuss/channels/general-discussion/how-do-you-protect-env-file-from-public
Check the folder structure on your hosting and make sure the public folder is the document root.
Related
In my application is possible to create a directory, and the user can store files inside that folders. So suppose that I have the following structure:
/public_html
/app
/assets
/documents
/folder_name
-list of files
My goal is to prevent that the user types as URL:
https://myapp.com/assets/documents
or
https://myapp.com/assets/documents/folder_name
and see all the files or directories available in there, is there a way to prevent this via .htaccess?
If you want to simply prevent the directory listing, you can put:
Options -Indexes
inside an .htaccess file in the root directory of your assets. Your vhost/server configuration must have the AllowOverride Options set for this to work though.
If you wish to prevent the files from being accessed you could use the <Files directory which is allowed inside an .htaccess file, but the better solution would be to simply move that directory out of the public root.
Put .htaccess in that folder, and add
Deny from all within
Or if you want to apply the directive dynamically to folder (in case you have access to Apache configuration):
<DirectoryMatch "^/public_html/app/assets/documents/(.+)/" >
Order Allow,Deny
Deny from all
</DirectoryMatch>
or within the folder_name:
<DirectoryMatch "^/public_html/app/assets/documents/folder_name(.+)/" >
Order Allow,Deny
Deny from all
</DirectoryMatch>
One of the approaches is to generate blank index.php within a folder.
I have a webside running on Apache and I want to make some files acceseble only via php. For example: I have a file "secret.html" and I don't want to be user able to do www.example.com/secret.html but he could do www.exapmle.com/verify.php, it would check if he can view it and then the php would do include "secret.html"; and it would be shown.
I found at least 2 ways to do what you want.
By htaccess
Add a special rule that deny access to the "secret" file. In order to simplify, you can just create a "secret" directory and then place into it every secret files. Then, create a .htaccess file in this directory that contains :
Order Allow,Deny
Deny from all
Finally, update "verify.php" and use include for php file :
include "secret/secret.php";
or readfilefor html file :
readfile("secret/secret.html");
By VirtualHost
This one is trickiest.
What you can do is to customize a little bit your vhost in your Apache settings.
Let's say you have 2 folders at the root of your website :
"secret" will contains the files you don't want to be accessible by browsers
"web" will contains your "verifiy.php" file
Then, change your Apache VirtualHost setting "DocumentRoot" to point to the "web" directory.
Finally, update "verify.php" and use include for php file :
include "../secret/secret.php";
or readfilefor html file :
readfile("../secret/secret.html");
create a .htaccess file in your directory.
//set deny all to all request which contain .html extension.
<Files *.html>
Order Deny,Allow
Deny from all
Allow from 127.0.0.1
</Files>
//set allow to all .php file.
<Files *.php>
Order Allow,Deny
Allow from all
</Files>
in your verify.php file include your .html file
include "path/secret.html";
I hope it will be helpful.
I am Working with laravel 5.4. And i have problem with .env and composer.json file. Anyone can access from any browser and anyone can see my database credentials so please help me to protect this files.
you can add following code to your .htaccess (make sure your .htaccess file should be in root folder not in public)file to deny the permission of .env file
<FilesMatch "^\.env">
Order allow,deny
Deny from all
</FilesMatch>
Simply you add below code to your .htaccess file to set permission of .env and composer.json file.
<Files .env>
Order allow,deny
Deny from all
</Files>
<Files composer.json>
Order allow,deny
Deny from all
</Files>
And below line for disabling directory browsing
Options All -Indexes
Remember that once your server is configured to see the public folder as the document root, no one can view the files that one level down that folder, which means that your .env file is already protected, as well your entire application. - That is the reason the public folder is there, security. - The only directories that you can see in your browser if you set the document root to the public folder is the folders that are there, like the styles and scripts.
You can make a test like this:
Enter in your project directory with the terminal and hit this:
php -t public -S 127.0.0.1:80
The -t means the document root, where the PHP built-in web server will interpreter as the document root. - see bellow:
-t <docroot> Specify document root <docroot> for built-in web server.
Now try to access the .env file, and you will see that you will get a 404 that the resource as not found.
Of course it's just an example, you will need to configure your sever to do the same.
Nobody can view these files via the browser because the root of your website is located at /public and the composer.json and .env files are outside of this scope.
The only way to view these files is actually connecting to the web server and going to the corresponding folder.
Make sure it is on your .gitignore and you create it locally on your server.
How do I prevent access to a given directory ? Here is the structure of my website :
config.php
.htaccess
classes/
|----lib/
| |----...
|----classes.php
webroot/
|----index.php
|----ctrl/
| |----...
|----pages/
| |----...
|----style/
|----...
The DocumentRoot is webroot. I want to prohibit access to the following folders : ctrl, pages, style. But the files stored in these folders still have to be available to be included in the index.php file.
In other words, there is an index.php file. Its role is to call (include) all the necessary files from pages/, ... The users can load index.php from their browser but they cannot access the other files alone.
I wrote this code is a .htaccess file but it doesn't do anything :
deny from all
<Files webroot/index.php>
allow from all
</Files>
This .htaccess file is located at the root folder for my project (before webroot/). What I try to do here is to deny access to every directory and files in the project except for the main index.php file.
What is it not working ? What went wrong ?
Thank you in advance.
I solved the problem. First of all, I had to activate .htaccess files in my httpd.conf file. Then I wrote this in my .htaccess :
<Files webroot/pages>
deny from all
</Files>
<Files webroot/style>
deny from all
</Files>
Do you want to prevent people list files in your webroot?
If so, you can add the following option in your htaccess file:
Options -Indexes
I am using Laravel for web app. Uploaded everything on production and found out that some of the files can be directly accessed by url - for example http://example.com/composer.json
How to avoid that direct access?
You're using wrong web server configuration. Point your web server to a public directory and restart it.
For Apache you can use these directives:
DocumentRoot "/path_to_laravel_project/public"
<Directory "/path_to_laravel_project/public">
For nginx, you should change this line:
root /path_to_laravel_project/public;
After doing that, all Laravel files will not be accessible from browser anymore.
That is incorrect. composer.json sits outside of the public directory and therefore should not be accessible. This means that your VirtualHost configuration is incorrect.
Please make sure that your path to your directory ends with /public.
Point your web server to a public directory and restart it.
For Apache you can use these directives:
DocumentRoot "/path_to_laravel_project/public"
<Directory "/path_to_laravel_project/public">
Also You Can Deny files in .htaccess too.
<Files "composer.json">
Order Allow,Deny
Deny from all
</Files>
for multiple files you can add above files tag multiple times in .htaccess files.
You Can Deny files in .htaccess too.
<Files "composer.json">
Order Allow,Deny
Deny from all
</Files>
Point the web server to the public directory in the project's root folder
project root folder/public
but if you don't have the public folder and you are already pointing to the root folder, you can deny access by writing the following code in .htaccess file.
<Files ".env">
Order Allow,Deny
Deny from all
Allow from 127.0.0.1
</Files>
in the above code, first we are denying from all and allowing only from the own server (localhost to the server) to get executed, and hence we can protect it from outside users.
Set Your document root as public directory, so other files will not be accessible directly. Look for it in Your apache/nginx/??? configuration files.
It depends on the webserver your running. With Apache it would be .htaccess files whereas with Nginx it would be handled in the server configuration file.
With Apache, you can create .htaccess file in the root directory of Laravel project to rewrite all requests to public/ directory.
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteRule ^(.*)$ public/$1 [L]
</IfModule>
simply create blank
index.php
file in config directory , and write message in file as you like to inform acccessor user
ex. access forbindon by server