I have a simple PHP website , I want to know if there is any way to avoid users Access to the files on my website ?
like css files and other things ?
To prevent my files to show in folder and directories, I used htaccess file and put this code inside htaccess :
Options -Indexes
but some users can still access the files content like css codes.
for example if an user visit this url :
www.mysite.com/folder
this message should show to him :
Forbidden
You don't have permission to access /css/ on this server.
but if users visit this url :
www.mysite.com/folder/file.css
Then the css will appear to him ...
I want to know how can i prevent this problem ?
And avoid restrict files to users ?
You need to allow access to some static files like .css, .js, .jpg, etc... to the correct visualization of your web.
If you want to avoid hotlinking you should create an .htaccess with this content:
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?yourdomain.com [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?yourdomain2.com [NC]
RewriteRule \.(jpg|jpeg|png|gif)$ http://hpmouse.googlepages.com/hotlink.gif [NC,R,L]
Source
Related
I want to configure the .htaccess file to work the following way:
If the visitor tries to open a url with an existing folder name, redirect to main page (index.html).
I have the following rules for that:
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_URI} !/index.html$ [NC]
RewriteRule ^data/existing-folder-1$ https://example.com [R=301,NC,L]
RewriteRule ^data/existing-folder-1/$ https://example.com [R=301,NC,L]
RewriteRule ^data/existing-folder-2$ https://example.com [R=301,NC,L]
RewriteRule ^data/existing-folder-2/$ https://example.com [R=301,NC,L]
</IfModule>
And it's working fine.
If the user tries to open a forbidden type of file (like .php), send to 403.
RewriteCond %{HTTP_REFERER} !^https://example.com [NC]
RewriteRule \.(php|log|htaccess)$ - [F,L,NC]
And it's also working fine.
I don't want users to see the contents of the folders, so I have this line:
Options -Indexes
I think that's all the important details to see the background.
I have a /rd folder with a simple index.php file to redirect URLs:
$url=$_GET["url"];
if (empty($url)){
//
} else {
header("Location: " . $url, TRUE, 308);
// later on with special functions
exit();
}
Such a link on my page looks like this:
https://example.com/rd/?url=https%3A%2F%2Ffoo-bar.com%2Fexample
Please note, that index.php is not written after /rd/ and before ?url. But if it's easier to solve this issue, I can modify it.
And now the problem comes here:
When I click on such a link through my website, it works perfectly.
But when I copy this redirect-link, and try to open in a new tab/window, it says 403 Forbidden. I think because #2 rule to disable access to .php files outside my domain.
Since I want to share those redirect links, I want them to be able to open when copy-paste the links.
I also don't want anyone to access any of my .php files - so it's not an option to remove rule #2.
How can I solve this issue? How can I enable to use the redirect links "alone", while keeping the rules to prevent access to files/folders?
Thank you.
The goal is to prevent anyone other than the application itself from accessing the items within several specific folders.
Having read through some of the answers, I have:
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^https?://app.domain.co.uk/*
RewriteRule ^(folder1|folder2)$ - [L,F]
I've placed the .htaccess in the same folder as folder1 and folder2, but it's not blocking access from external sources.
I've tried forward slashes before the folder names, but that made no difference.
Also, we are using the app sub-domain, and we are using SSL, if that's of importance.
Any suggestions?
use this rule as your first rule in the .htaccess placed in parent folder of folder1, folder2:
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^https?://app\.domain\.com [NC]
RewriteRule ^/?(?:folder1|folder2)(?:/.*)?$ - [L,NC,F]
# rest of your rules go below this
I'm slowly starting to learn how to use HTACCESS and the code below doesn't work for some reason the options part itself works.
Options +FollowSymlinks
RewriteEngine on
Options ALL -Indexes
So I'm already restricting users from accessing directories but is there any way to restrict them from accessing all files in certain folders directly?
Right now people are restricted from folders /php/ /css/ etc but if they type /css/style.css they will access that file
Options -Indexes is not used to restrict access per say. It's to prevent listing files in your directory so that they can't access or see all your files in the folder. So if there is no index file it will give a forbidden error.
You need to explicity block access and use other directives. You can use <file> with order, Rewriterule etc.
An example of blocking file types in a directory would be like this.
For instance I have an images directory and want to block jpeg, jpg, png and gifs
RewriteEngine On
RewriteCond %{REQUEST_URI} ^/images [NC]
RewriteCond %{REQUEST_URI} \.(jpe?g|png|gif)$ [NC]
RewriteRule .* - [F,L]
Side note, blocking CSS is prevent irrelevant anyway because the browser has to load it to view the page properly. There's no point to do so because you can inspect any element to see the styles on all modern browsers.
I have some video files few of which are not public. I want to access them through video player but I also need to prevent the direct download from the address bar. Also if a user pays for it they can download.
I tried in .htaccess file but still not solved.
I tried the following:
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^(https?://)?yoursite.com
RewriteRule ^/?video_files - [L,F]
I want to use .htaccessto redirect different requests to the same folder.
E.g.:
domain.de/ordner1/fileX.html
domain.de/en/folder1/fileX.html
domain.de/it/casella1/fileX.html
So whenever something is requested out of /ordner1/, /folder1/ or /casella1/ I want .htaccess to fetch the requested file out of a specific directory like domain.de/all/fileX.html.
I want to prevent duplicate content but also keep the foldernames in the selected language.
Could you help me solve this problem?
Try adding the following to the .htaccess file in the root directory of your site.
RewriteEngine on
RewriteBase /
#skip css, js etc
RewriteCond %{REQUEST_URI} !\.(css|js)[NC]
#if request to ordner or folder1 or casella1, serve the file from all/
RewriteRule ^(ordner1|en/folder1|it/casella1)/(.+)$ all/$2 [L,NC]
In your docroot/.htaccess:
RewriteEngine On
RewriteBase /
RewriteRule ^(ordner1/|en/folder1/|it/casella1/)(.*$) all/$2 [L]
You would need to add extra names to map other translation equivalents.