Securing directory on hosting server - security

I am writing some php scripts that I am using for personal reasons. One thing I noticed that if I type in the directory on the browser I am able to see all files in the directory.
How can I prevent the browser from viewing any of the files in a directory? I want to be able to send requests to the server and let the server run the script. Can someone point me in the right direction? Should I configure the .htaccess file? If so, what should I be looking for?
FYI: I am on a shared hosted server.

the fast way to do that creat .htaccess ex: under /public_html/
and put this code inside it
Options -Indexes
all about .htaccess to more information

Related

How to hide directory listing of my website (a shared hosting)?

I'm trying to hide the directory listing of my website.
I'm currently working on a website hosted by 'hostinger'.
I know that i should change something in an apache-related file, but they(hostinger) say that
i cannot change that. cuz im using a 'shared' hosting service.
so the only way is to add some code in an .htaccess file.
RewriteEngine On
Options -Indexes
this is my current situation in my .htaccess file.
i've googled the info on how to do it, but it keeps listing my directory.
is there any way that i can prevent it?
or is it just impossible to accomplish with a shared hosting service?
Try this , prevent or allow the server to display the index of the files in the folders of your web server.
You can put a .htaccess file in each of your directory with this code
Options All -Indexes

How does htaccess / htpasswd effect file writing?

I've been developing a website on a local web server and I'm pretty happy with it. I'm about ready to deploy it but I've been looking at how to limit folder access via htaccess. My concern is I grab some php variables from a document on the web server and I'm worried that by denying htaccess ill also prevent the php file from reading and writing to this document. Is this the case? If so how would I go about setting up a hierarchy in which my php can read and write to my document but people can't access the folder that its in?
.htaccess is a means to configure a server on a per-directory basis.
If you are going to be writing files using PHP, then it is going to be doing so using the file system (unless you are using HTTP PUT or similar, but you'd know if you were), so the server configuration is irrelevant.
Apache will simply forward your requests to the PHP interpreter. Once the request is past Apache, all rewrites/folder restrictions have already been validated, which means PHP never knows about them (and it shouldn't).
Htaccess is a webserver restriction, if you can access the page, then PHP doesn't care if you have it or not, so you can fopen / edit your files from PHP without problems. Of course if you write your file to a (different) directory that is htaccess protected, the user will have to insert the password to read it

Protecting folder and its files

I wish to protect folder with core files of CMS and its sub folders and files from accessing via web, and I tried with .htaccess file with this:
order deny,allow
deny from all
Problem I have is that I can protect that folder but some script from that folder or its sub folder then do not work good.
I also tried with this:
order deny,allow
deny from all
allow from 127.0.0.1
allow from 76.xx.xx.xx
In this case 76.xx.xx.xx is static IP of site.
Is there any way to prevent accessing files in that folder but still to make all work ok?
Another question.
I wish to secure more my site from hackers. So, is there any way to prevent injecting malicious files and code in my scripts/files and/or to block my site of executing files from other sites, hosts, to allow just working with local files.
I prefer .htaccess file, but if it is needed I have access to WHM if there is need for editing other files (but in that case I will need step by step guide). I am running site on Linux VPS with Cent-OS 5 system.
The usual way to do this is to put the accessible files in an apache-accessible directory, but all the rest into a directory out of the way from Apache. For example:
/usr/
local/
mycms/
public/
lib/
/var/
www/
mycms -> softlink to /usr/local/mycms/public
Or better yet, make mycms an alias in Apache config, pointing at the public directory. This way, the files that should be accessible are, those that shouldn't be aren't, and you can still reference all your other files simply by ../lib/ etc.
I know this does not really answer your question literally, and if the CMS directory structure is not under your control, this may not be the best way to do it.
Another way is through rewrites - simply rewrite all requests to your CMS directory except for your CMS's entry script into requests for the entry script.

.htaccess Rewriting Tomcat Server

I am writing a website using Railo. My code is to be deployed on a Railo Server running on Tomcat, overlayed on a regular Apache+PHP server.
I need to send all requests to http://subdomain.myserver.co.uk/ and its child files to the directory /public_html/railo/tomcat/webapps/ROOT/subdomain/ directory.
I defined a subdomain in cPanel, with the document root as /public_html/railo/tomcat/webapps/ROOT/subdomain/, but still requests to http://subdomain.myserver.co.uk/ display files in /public_html/railo/tomcat/webapps/ROOT/. I can view my files if I request http://subdomain.myserver.co.uk/subdomain/
I've been fiddling with the .htaccess files for quite some time now, but I'm stuck
Is there any way I can do what I'm trying to achieve, or am I resigned to get those pages using http://subdomain.myserver.co.uk/subdomain/
The Railo documentation on adding a site to a Railo/Tomcat/Apache/Linux install is here:
http://wiki.getrailo.org/wiki/Installation:InstallerDocumentation:LinAddingSites
I would also personally recommend against putting your site files in ROOT/sitedir/ because the ROOT directory is already configured for localhost, and making a subdirectory into another site will cause overlapping host configs in the WEB-INF directories.
Instead, just use whatever the default is for your control panel, and update your Tomcat server.xml file to point to the directory that your control panel naturally puts sites in. This will make your Railo site and your control panel work very smoothly together.
Hope this helps!
If you want your tomcat application to serve at example.com and not at example.com/application then you need to deploy your application at /ROOT and not at /application. This will make it the "default web application" so it'll be able to serve directly from example.com.
Have a look at: http://tomcat.apache.org/tomcat-5.5-doc/config/context.html
Cherouvim's answer didn't work for me. Eventually I ended up putting my entire application in the ROOT directory

question about htaccess file

what is htaccess file? how to create and write that? what is the advantage of using htaccess file?
.htaccess files provide a way to make configuration changes on a per-directory basis. See the official Apache documentation for .htaccess files.
.htaccess allows you to override Apache's (and other servers') main configuration file for a particular directory (and all its subdirectories). To use .htaccess you simply create a new file and name it ".htaccess" (yes, the name is very unusual because it actually consist of only a very long file extension), upload it to you server (if you want to affect your entire site than put is in your root folder), and finally add some directives.
If you wand to see what sort of things you can configure with .htaccess check out this very accessible tutorial: 5 most useful applications of the .htaccess file.
For something more comprehensive visit guide .htaccess.
Hope this helps
This is majorly used for configuration on server the generally things involve in usage are following.
-(redirecting server to specific file)
Redirect permanent /index.html (new path)
For more you can refer to http://httpd.apache.org/docs/2.0/howto/htaccess.html#related

Resources