Apologies if this has been asked already. I tried to do an extensive search but I don't know much about htaccess so I don't know which questions have been relevant.
Right now I'm setting up a pretty expansive system with php that requires several pages and functions. To keep things simple and manageable, I have one single file "economy.php" that then requires files from the "/economy/" directory.
I read on another question that the best way to deal with the files within only being accessed from the economy.php file is to use an htaccess file in /economy with deny from all. This worked, except now the images and stylesheet within the /economy directory don't work.
The solution I can think of is to create a directory /economy/pages/ and throw the php files and htaccess file in there. But that's sloppy, and I'm assuming there's an easier way to handle it.
What's my best course of action?
I think you should look at the Files apache directive
So you should have something like that :
<Files ~ "\.(php|.htaccess|php5)$">
deny from all
</Files>
Hope this helps ...
Mimiz
The "deny from all" is blocking the user's browser from accessing the CSS and image files. Best bet is to break up the directory structure. Create top level directories for images, css, js, source, etc. Then update the paths in the code accordingly. You can then use an Apache config (or .htaccess which is slower) to deny outside access to the source dir.
Related
So, I'm sure this question gets asked quite a lot around here, but after a good 20 mins searching, I haven't been able to find any questions that produce the correct result.
I have files, such as /index.php and /dashboard.php which use resource files such as /framework/assets/stylesheets/index.css etc. What I want to do, is block off the access to any files in the /framework/ directory, but still allow usage of them from index.php and the other respective files. How would I configure my .htaccess file to allow me to do this?
I understand that this may not be possible, but is there any way that the directory /framework/ which includes some PHP files to be hidden from users, but still allowed to be accessed via other PHP scripts using include 'file.php'?
Any help would be very appreciated. Thanks.
Since you want to have a css file only available when the specific php script is run you could use a include directive in php and embed this into your other html.
Something like this:
//...
<head>
<style>
<?php
include("/framework/assets/stylesheets/index.css");
?>
</style>
//...
</head>
//...
php-files aren't restricted through htaccess and you include it server side and offer only the stuff you want to the client.
You should't block access to CSS and JavaScript files. If you do so, it means that your site's design is going to break. For include files, try below rules. Place your .htaccess file with below rules in your includes directory you want to forbid access to. These rules allow only $_POST requests on files contained in the directory as well as you can include one file to another restricting the direct access to that include file.
<LimitExcept POST>
order deny,allow
deny from all
</LimitExcept>
As stated in the comments to the original question by Magnus Eriksson, to achieve the effect that I wanted to with CSS files, JS files, and other resource files is something that cannot be done, as these files are directly fetched by the HTML, and therefore use http requests.
The PHP files however are able to be protected, by placing a .htaccess file in the /framework/ directory with the content of:
deny from all
To grant access to the resource's in /framework/assets/, All that needed to be done was to add another .htaccess file with allow from all written inside.
Simple answer to a simple question.
Documentation for further use:
https://httpd.apache.org/docs/2.2/howto/access.html
I am using codeigniter and have put the assets folder in the root of the application that contains a .htaccess file having the content
Deny from all
This is causing problems when I want to connect to the assets folder to get the stylesheets etc. So my question here is is there any way that I can allow the access just to that assets folder, that I have?
I have never used .htacces files so have a very basic knowlege of it. I did some research on my own as well but I wasn't able to find the solution.
In your assets directory add another .htaccess file with the following:
# /assets/.htaccess
Allow from all
And I am assuming in your root directory you have the following (which you will leave):
# /.htaccess
Deny from all
Update: Based on your comment, what you are looking to do is not really possible. The browser needs to have access to your CSS file in order to use it on your page.
Is it possible to set the .htaccess file to deny all users but allow includes such as PHP functions or CSS?
Thanks
Yes, that's one of the most popular uses of the .htaccess file. Set up .htaccess to deny all. Nobody can download the pages in that directory, but you can include php files from this directory in your other directories. You can't really host css files in the directory and then deny all, because the user has to download these directly. Same goes for images and javascript files. Basically, anything the client has to read shouldn't go in a "deny-all" directory, but stuff that only needs to be read by the server, like php includes are fine.
If you don't want something to be downloadable, then don't put it into a public-facing directory. Put those files in a different directory outside the webroot.
This way they don't get exposed if the .htaccess gets disabled somehow.
I use Minify to minify and cache all my script requests. I only want my users to be able to access the minified versions of the JavaScript files.
Minify lies at www.example.com/min and my scripts are at www.example.com/scripts. How can I block direct access to doc_root/scripts which is where my unminified JavaScript files lie. I'd rather not put them out of the document root but it's an option.
Please note that I'm using Zend Framework, so the actual root of my application is shifted to www.example.com/public. An htaccess file handles the rewrite.
Can't you just use an .htaccess file inside doc_root/scripts to prevent all access over the web to .js files over HTTP?
It won't stop minify, since that provides indirect access.
So in doc_root/scripts/.htaccess, something along the lines of
<Files ~ "\.js$">
order allow,deny
deny from all
</Files>
Note that the location of the .htaccess file matters in this case.
You effectively can't block end-user facing code. Even if you served it with PHP or another server-side language and blocked direct requests, it's of course still possible to read it directly with a number of tools.
You should code with this in mind and be mindful with javascript comments, business knowledge, etc.
UPDATE:
However, if you're talking about code that doesn't ever need to be accessed by an end-user, you could as you mentioned move it out of the server root, or you can block the files in your directory (or an entire directory). It's easy with Apache's .htaccess.
order deny, allow
deny from all
You could also redirect the source files to the minified versions with mod_rewrite in your .htaccess file.
RewriteEngine On
RewriteRule /scripts/(.*)$ /min/$1 [L,NC]
Depends on the server you're using. Assuming it's Apache, you can add this to your .htaccess file:
<Directory ~ "\scripts">
Order allow,deny
Deny from all
</Directory>
Or something to that effect..
The only way is to check referers, and not everyone sends them, or sends a real one. In other words, you can't block direct access to anyone who really wants something. It's impossible to determine with 100% accuracy if a request is a direct one or is being done via a <script src=....> type request.
For your Javascript to actually run the user's browser must be able to read it ultimately.
As such there's no real way to "block" access to your scripts folder (well to be precise you can but that would break your website since the browser would not see the files in order to run them.)
One solution could be obfuscation, which makes the javascript code harder to read / understand but ultimately the user will see the code, and with a bit of persevering reverse engineering it can be de-obfuscated.
Another thing i've seen someone do is creating an "empty" js.html page, and insert all their javascript into script tags in the page (embedded, not external), and from his main page make ann ajax request to js.html and embed it at the bottom of the page. kind of a round about way but the user will not see the js when viewing the source unless using developper tools such as firebug.
Note that the last option also might cause some delay depending on the abount of code you are loading. but here the key is not blocking access to your scripts, but just making them harder to obtain / read / copy.
Edit: oops, misread as well. I think the best solution in this case would be to go with an htaccess file in your scripts folder denying all access
This answer is little bit newer, than question (only several years, that’s nothing)
You cannot deny access to JavaScript file, because they wont’t be accessible from <script> tag.
But I found a workaround:
RewriteEngine On
RewriteRule ^.*\.js$ /invalid.html [R=301,L]
Place it in your .htaccess file in your home folder of web. (under htdocs or public_html).
This will automatically redirect everyone from it. So they don’t see it.
for example i have this url: http://localhost/miSite/uploads/ and by doing:
http://localhost/miSite/uploads/../includes/, this results in a directory (includes) linsting.
It'd be great if you could tell me a way to resolve this.
Directory Indexing
You can also use .htaccess to disable indexing, or Directory Browsing. By default, this option is turned on in the server's configuration files. To disable this, add this line to your .htaccess file:
Options -Indexes
The possibility of using relative references is not a real problem:
http://localhost/miSite/uploads/../includes/
resolves to
http://localhost/miSite/includes/
which can be addressed directly anyway. If you have sensitive files in there, you should move them outside the web root, or block the directory listing.
What would be a real problem is if the following would work:
http://localhost/../miSite/includes/
which would serve files outside the document root. But that will not happen with an up-to-date web server.
There's 3 things you can do, ranging from least secure to most secure.
Disable indexes as proposed by #Lizard
Make a rule in the htaccess file to deny access to folders people aren't allowed to access
Move the files that shouldn't be accessed outside of the DocumentRoot.