css not working properly after forbidding a folder - .htaccess

Good day. Got a problem here. I'm trying to forbid a folder and i succeeded from it,the problem for now is, I can't use it anymore.My web design does not work when I included it. How can i fix this?
I have tried to use options -indexes but it would not block the access if someone knows the file name like folder/css/index.css.
How can I block a user from accesing it without affecting my web-design.

By blocking access to the folder, you stopped the browser from being able to access it, which it needs to do in order to display it.
You won't ever be able to totally stop users from directly accessing the css file, if they're determined enough. The browser has to download the css file (so too can the users).
There are steps you can take to make it harder though. You could obfuscate/minify the CSS code to make it harder for people to understand - http://www.cssobfuscator.com
You could also check to make sure the referrer header is your website to prevent hotlinking - see http://www.htaccesstools.com/hotlink-protection/
Ultimately though, it will always be accessible and visible to your users

You can forbid access to the folder using the following in your /.htaccess
RewriteEngine on
RewriteCond %{REMOTE_ADDR} !your_ip_address_here
RewriteRule ^folder/css/index\.css - [F,L,NC]
That means only your IP address will be able to access the protected folder.

Related

Hide directory where css, js, image folder are placed

I want to secure and hide my asset folder from publicity. I hear that can be done with the .htaccess file and change the name from my directory-name to random name of the directory and in that case, users can't know the real name of my directory placed into my public_html. Can someone help me with examples of all kinds of documentation? I didn't try anything because I have really bad knowledge of .htaccess coding. Any help will be thankful.
Well, you can do this, but I'm curious as to the purpose if it's just to casually "hide" the underlying file directory? This doesn't really offer any additional "security" and can also cause issues if you have a front-end proxy that is intended to serve static content. It can also be problematic if you are using a CMS like WordPress as you may need to modify the default behaviour. (Although there may be other developmental issues for which you would choose to do this.)
Ideally, you would do something like this with the Alias directive in the main server config (or vHost container).
In .htaccess you can internally rewrite the request using mod_rewrite. Lets's say you are referencing /assets in the URL, but the actual filesystem directory that this should map to is /secret then you could do the following to simply forward all requests to /secret:
RewriteEngine on
RewriteRule ^assets/(.+) secret/$1 [L]
Only requests for /assets/<something> will be forwarded. A request for /assets or /assets/ will simply result in a 404 (assuming this directory does not actually exist).
To be more selective and only forward requests for specific file types, based on the file extension, then you could do something like the following:
RewriteRule ^assets/(.+\.(?:jpg|webp|gif|css|js))$ secret/$1 [L]
You could also check to see whether the target file actually exists before rewriting, but this is generally unnecessary and best avoided since filesystem checks are relatively expensive.

Ignore last part of URL with .htaccess

We have a FAQ page /faq (tab style) where every question should have its own 'ghost' url/page. So users could visit eg.
/faq/question-1
/faq/question-2
/faq/question-3
The problem is question-1, question-2, question-3 are not actual pages but just sections on /faq. For SEO, aesthetics and usability reasons we do not want to work with ?q= or #
I've searched and tried every .htaccess thread I came across but without result.
Is there a way we can show the page/faq when visiting /faq/question-1 and keep the url /faq/question-1 with mod_rewrite? (we cannot hardcode it because we do not know all future question slugs) So basically something that tells the browser: if the first url part is /faq/, just ignore everything that comes behind but keep the url.
Thanks
This is a trivial rewriting task and it is unclear why this should not work for you:
RewriteEngine on
RewriteRule ^/?faq/.+ /faq [END]
Since you claim that you "tried every .htaccess thread you came across" and this clearly works the question is: why not in your setup? But since you did not tell us anything about your setup we cannot really offer more help...
These are some general hints though which you should go through:
Where did you implement the rules you tried? In the http server's host configuration or in a distributed configuration file?
If you are using a distributed configuration file (".htaccess") then how did you make sure such files are interpreted by your http server and how did you test that?
Did you check your http server's error log file for hints?
Did you make sure that you are not actually looking at cached responses? So did you really test with a fresh anonymous browser window using a "deep reload"?
Since the CMS you are using requires own rewriting rules, where did you add those rules you tried? Remember: the order is important!

Dealing with Laravel routing without htaccess mod_rewrite capability

So, currently, I do not have the ability to utilize .htaccess, I have no control over the server config at the moment, so I have to live with /index.php/ in my URL. That's not a problem, but there is one issue.
If I go to webserver.com/site/index.php everything works fine. But, if I go to webserver.com/site/ (without index.php) the site loads but all the links are broken (relative to /site/ instead of /site/index.php/).
I've tried various ways to build the links with url() and route() but I can't get anything to work short of hard-coding the full url for every link.
Any ideas?

Allow file access from code, but block from browser?

I have my .htaccess file, and I have a folder with config files in there, and they contain sensitive content, e.g. database details etc. What I would like to know is, how can I block access from a browser, but allow them to be accessed via my scripts?
I know that this can be achieved inside the PHP files themselves, but I'd rather use the .htaccess approach where possible.
Is this actually able to be done? I've attempted it before, but in the process of denying access to the file from the browser, it also denied access from the coding.
I have looked into this before, and some of the answers I came across suggested changing the extension to something like .inc, and then denying access to that. However, a couple of issues I have with that is that a) It instantly alerts anyone that can see that filename, for whatever reason, that it is a config file. Also, b) If my denial code breaks, browsers will not parse it as a PHP file, but rather an inc file, meaning it will print the code in the browser.
Basically, can this be done within a .htaccess file, or do I need to put something in the header of every config file?
Put these files outside of your web server's document root.
You can still access them via your server-side scripts, but this ensures no direct access to them from the outside world.
The conventional advice is to place such files "outside of your web server's document root". This is all well and good, but many shared hosting offerings only give write access to your public_html directory.
I use a simple convention: any private content (that is not URI addressable) is prefixed by an underscore or in a directory that's name is prefixed with an underscore (eg. _private or _include). I then include this rewrite rule in my DOCROOT .htaccess file:
# if a forbidden directory or file name (starting with a . or /)
# then raise 404 Fatal return
RewriteRule (^|/)[_.] - [F]
Remember that you'll need to prefix with a RewriteEngine On and/or include this at the top of any .htaccess file with the engine enabled.
Note that the "." prefix picks up files such as .htaccess.
Please use a framework, these kind of issues just doesn't need to exist. If you insist though, write a .htaccess to redirect every request to a single index.php in the root directory, which then have more logic to determine whether or not the request is for a valid file and include them, otherwise generate 404 or 403. If you need performance for static files, then use RewriteCond to exclude specific directories or file type from the index.php check.

Fully securing a directory

What are the different approaches to securing a directory?
including an index page so contents can't be viewed
the problem with this is that people can still access the files if they know the filename they're after
including an htaccess file to deny all
this seems to be the best approach, but is there any case that an htaccess file can be passed by? are there any cases as well where htaccess is not available?
restricting folder access
this is also a nice solution, but the problem is, the folder I'm trying to secure should be viewable and writable by the program.
Are there any other ways that folder security can be done?
Best practice for Apache is to use htaccess to restrict - this only restricts from the webserver - but that should be what you need. You can add authentication into this - but for most needs to you can just deny all acess - which hides the directory completely.
Another method that can also work well with using htaccess to deny direct access would be to use htaccess in your route directory to rewrite urls. This means that a request such as /example/listItems/username/ted can be rewritten as a call to a php or other file such as:
/application/index.php?module=listItems&username=ted
The advantage of doing this is that the webserver does not give out paths to any directories so it is much more difficult for people to hack around looking for directories.
If you want to protect a directory of images you could also use htaccess to redirect to a different directory so that /images/image5.png is actually a call to :
/application/images/image5.png
You could also try not placing your protected directory under your www dir but on other "non www visible" location. If your app needs to read / write data, tell it to do it on the other location. Modify its properties so only the app has the proper rights to do so.

Resources