My website deals with images. Whenever a user uploads an image it will be stored in "imagefiles" folder, but the problem is users can see all the images of that folder on web through http. To prevent it I made changes to .htaccess of the folder to be forbidden, but by doing that I am unable to read the images to show it on webpage myself.
So how can I make this folder such that only I can use to read it and when users try to access it through http it should say forbidden?
You could disable the index for that folder, by creating a dummy index.html page, or disabling the default index in your .htaccess with:
<Directory /path/to/image/folder>
Options -Indexes
</Directory>
That will stop people from browsing a directory listing of all images, but not stop them from accessing images directly.
If you want more fine control you should Rewrite all requests to that folder to a PHP script which will check the $_REQUEST['REQUEST_URI'] to determine what image they were trying to load, then if they are allowed to view it by whatever logic you choose, you send out the appropriate headers for the type of image it is, and readfile('/path/to/image');
Probably the most flexible way to do what you want is to get the folder with images out of reach of webserver. Then show them on your page via readfile() (as Paulpro mentioned). There is nice example of how to do that in php manual:
http://www.php.net/manual/en/function.readfile.php
Using this way you will be able very easily control users access to images on your website.
Or you can use mod_rewrite to disable access to directory listing as:
RewriteEngine On
RewriteBase /
RewriteRule ^imagefiles/?$ - [F,L,NC]
Related
I have Apache+Nginx Hybrid server setup running a website with php/mysql backend.
And for security reasons, I am trying to restrict access to my website's internal folders/directories like css, Js and other included php files from direct access of users.
For example if user types https://mywebsite.com/css or https://mywebsite.com/included-php-files/ in the browser url
then it should give him 403 forbidden directory access error.
But when those directories have to be accessed via internal files like index.php in it's Ajax request or Internal inclusions then those directories should be allowed to have access.
I have tried many solutions but they are permanently blocking access even to my website internal files.
/css
/Js
/admin
/sitemap/sitemap files/
These are example of my directories inside my website, I need to hide them from direct access of users from abusing their use.
Last thing I have tried is I added an empty index.php file to each of those folders where I want to stop direct external access, this way when users try to access those folder or directories, It will show them empty page.
But I am hoping if there is some other and better way of doing so, like with nginx or apache ?
Please help me..
I will update if need more clarity about the question..
just use .htaccess file
Put the following line into your .htaccess file
Options -Indexes
So I've my images folder, and I protect it with a index.php file with no text or anything. So they can't browse the images. But is this enough as security? I've tried to disable the url with php but without any success. Is there another way of doing this?
One easy way to prevent the directory content from being displayed is to disable directory listing.
Don't place an index file in the directory you like to prevent from public access. Create a .htaccess file add Options -Indexes to it. This would cause a http 403 error when you point to the directory.
Ok so my current sites is on the .htaccess method to block user access to the directory
e.g. http://www.example/_directory/ via Options All -Indexes
Question should I stick with that or is putting an index file e.g. index.php in every directory better? I'm thinking of an index.php that will redirect to the homepage rather than giving users an error 403 page.
Opinions?
It would be clever to build your web site in a way that these subdirectories also have content (e.g. about/ also shows some information, when about/history/ and about/our-company/).
If the directories contain only files, it's IMHO totally fine to just have a 403.
Answers to your questions might be very biased.
If you're on a Unix/Linux server, you don't need to have blank index files at all in your directories. Just create a .htaccess file and put the following code in it:
Code:
Options -Indexes
When anyone tries to access the contents of a directory that doesn't have an index file, they'll get a 403 error.
Ref : http://wildlifedamage.unl.edu/manual/mod/core.html#options
Apologies if my question is unclear, but I'm not quite up with the jargon. By 'resource directories' I mean my css, php scripts, images, javascript ect.
I used an .htaccess file in my images directory that contained
deny from all
to do this. Though this prevented people from typing "www.example.com/images" into their browser and accessing my images directory, the images stopped appearing on my website.
I assume this is because the .htaccess file is even denying my source code from accessing the images. How can I let my source code access directories? I also have a cron job running a php script every night. The cron job also needs to be allowed to access the scripts directory.
Also, is using .htaccess files even the best way to secure a site?
To prevent someone to view your images directory, you need to disallow Directory Listing.
http://viralpatel.net/blogs/htaccess-directory-listing-enable-disable-allow-deny-prevent-htaccess-directory-listing/
You cannot use deny from all, because nothing can be loaded from that directory from a web browser, so your images which you load with on your website won't load either.
Options -Indexes will disallow people to list files in your images directory. Please see http://viralpatel.net/blogs/htaccess-directory-listing-enable-disable-allow-deny-prevent-htaccess-directory-listing/
For securing data from being viewed by people who shouldn't you can use a authentication. You can setup a login field with htaccess, or script one with, for example PHP or python.
Login script with htaccess:
Script:
http://www.htaccesstools.com/htpasswd-generator/
Password file:
http://www.htaccesstools.com/htaccess-authentication/
You can prevent from accessing any directory you want:
Add this snippet in your httpd.conf file (you can find httpd.conf file here C:\wamp\bin\apache\apache2.4.9\bin)
<Directory "c:/wamp/www/directory_A/">
Options -Indexes
</Directory>
In this case you can access www directory but can't inside directory_A.
or
<Directory "c:/wamp/www/directory_A/uploads/">
Options -Indexes
</Directory>
In this case you can access 'directory_A/' directory but can't inside 'uploads/'.
In my website, i want to restrict viewing certain files which are stored in a directory called "/content" such that only logged in users can view the files
as it stands right now anyone who types in xxxxxxx.com/content/4dc32b1c0a630.png into the browser can see this image file
I've added Options -Indexes to my .htaccess file but that didn't do anything
if it is helpful my site is built using codeigniter, so a PHP solution would be great, though I'd take any advice you might have!
thank you,
Tim
You can write a controller for that purpose.
In one of my projects I've done a resized pictures controller only for logged in users. It's based on timthumb script http://code.google.com/p/timthumb/
In controller __contruct(); write user authentification code and that's all!
So you will call these files via controller, like http://www.site.com/images/1314.png
Use mod_rewrite to rewrite any accesses to anything in /content to a PHP script that will auth the user and then provide the file, either directly or via mod_xsendfile.
Put these lines in your root .htacess file to block access to content/4dc32b1c0a630.png for unauthenticated users:
Options +FollowSymlinks -MultiViews
RewriteEngine on
RewriteCond %{LA-U:REMOTE_USER} ^$
RewriteRule ^content/4dc32b1c0a630\.png/?$ - [R=403,L]
However I would suggest you use wild cards (if possible) to match blocked files above rather than listing each and every individual file.