I am creating RESTful web services, but I want to protect those web services and want to give access to specific domain names. I have achieved that by following code in PHP:
$allowed_hosts = array("domain1.com", "domain2.com", "domain3.com");
if (!in_array(strtolower($_SERVER["HTTP_HOST"]), $allowed_hosts))
die ("Unknown host name ". $_SERVER["HTTP_HOST"]);
I would like to know that is this the correct approach to restrict the access?
<Files "admin.php">
Order deny,allow
Deny from all
Allow from .*domain1\.com.*
Allow from .*domain2\.com.*
</Files>
put this in your .htaccess file so it will proved access to the admin.php file only from domain1.com and domain2.com
Related
I have a plugin which is using an xml file located in the plugin folder.
example.com/wp-content/plugins/myplugin/myxml.xml
I want to deny access to the file for users but not to the plugin. If I type the URL I can read the file. I used the following in htaccess inside my plugin's folder
<Files ~ "\.xml$">
Order Allow,Deny
Deny from All
</Files>
I get the 403 error but the plugin cannot read the file
I used Options -Indexes as well
How can I fix this?
<Files ~ "\.xml$">
Order Allow,Deny
Deny from All
Allow from localhost
</Files>
This will only work if you place it in the main .htaccess. Then the file is not accessible from outside but accessible from the wordpress
The recommended solution for this issue is, Set proper file permission and user group. So all the application can access the file, but Public Users can't.
For more information visit Linux File permission
There are a couple of ways to go about this:
Load the file from the filesystem and not over the network if possible.
Use access control as #Jamie_D has suggested.
His code might not work if example.com doesn't resolve to localhost (check your /etc/hosts). It the file has to be accessed over the public internet, use your public IP.
For reference, here is the documentation for mod_access.
Access can be controlled based on the client hostname, IP address, or
other characteristics of the client request, as captured in
environment variables.
And you could also use authentication for that file.
I know direct URL access can be prevented via .htaccess rules but I don't know much about meta-chars or escaping.
these are the files in my xammp/htdocs folder, accessed using
localhost:
index.php
createScheme.php
several someother.php
I want direct access to be enabled only for index.php and createScheme.php and all others pages should be blocked against direct access.
Please help!
This .htaccess file will only allow users to open index.php. Attempts to access any other files will result in a 403-error.
Order deny,allow
Deny from all
<Files "index.php">
Allow from all
</Files>
If you also want to use authentication for some of the files, you may simply add the content from your current file at the end of my example.
I have a question regarding the web application security. I would like to ask you how can I hide a specific folder of my website (in this case the admin) from the public. The admin should be accessible only from two or three IPs.
The admin will be visible as following:
www.mysite.com /admin
Thanks
You can create an .htaccess file and write
order deny,allow
deny from all
allow from YOUR_IP #Replace YOUR_IP with the IP you want to allow
allow from YOUR_IP
That's about accessing, if you want to hide the file structure, than use
IndexIgnore *
Combine a Directory directive with standard access control.
<Directory /var/www/admin>
Order deny,allow
Deny from all
Allow from 10.10.10.10
Allow from 10.10.10.11
</Directory>
I was wondering if there is an “easy” way to protect a file from begin access from all domains…
Let say that I want only a few domains to use my script so they put in their HTML
From domain yourdomain.com you write
If your domain is in our “allow” access then you can use it, if not, then show an error or just nothing…
Is that possible with PHP?
Or do I have to use .htaccess ?
Probably the most straight forward way is to use a .htaccess file. These files typically take IP address and not domains. The code below would only allow from 1.1.1.1 and 2.2.2.2 and anything else would be denied.
<Limit GET POST>
order deny,allow
deny from all
allow from 1.1.1.1
allow from 2.2.2.2
</Limit>
i want to protect some folders from a normal user but i (from localhost or my IP address) m unable to see the folder structure...so i do this
write a .htaccess file in that folder(eg.project/cms/js) and write below code
# no nasty crackers in here!
order deny,allow
deny from all
allow from 192.168.1.7
but by using this prohibit to everyone( including me) to see that folder structure.....
how do i protect that folder from other users except myself?
I think you got the allow and deny the wrong way around:
order allow,deny
allow from 192.168.1.7
deny from all
which first processes all the allow statements and next the deny statements.
I just checked, your above example works fine for me on my Apache 2.
Make sure your IP really is 192.168.1.7. Note that if it's the local machine you're trying to access, your IP will be 127.0.0.1.