is there a way to deny outside access to my upload directory ?! I don't want users to access my upload directory : www.example.com/uploads
i used .htaccess in the root of my upload folder however all the links were broken
in my .htaccess :
deny from all
any solution ?
If you wish to disable directory listing, simply place 'Options -Indexes' in your htaccess.
You've applied a 'deny from all', which essentially stops ANYONE from accessing files in the directory to which it applies.
Also make sure that 'AllowOverride All' is specified in the vhost definition, otherwise you are unable to override settings via the htaccess file. That is my understanding anyway.
If you wish to disable access to the upload directory, and control which files in specific users can access, I'd recommend going through a script written in a language such as PHP. A user requests a file from the script, the script looks to see if they're allowed to view the file. IF they are, they file is displayed. IF they aren't then it is not.
References
http://www.thesitewizard.com/apache/prevent-directory-listing-htaccess.shtml
http://mathiasbynens.be/notes/apache-allowoverride-all
Related
I want to deny access to particular directory to show list of files in it in the browser. For example, If I go to the url, localhost/myproject/assets, it will show all the list of files in it, I want to deny that. And also if logged in user access specific file in it, for ex : localhost/myproject/assets/uploads/img/1.jpg then it should be accessible.
Also how to deny access to a localhost/myproject/assets/uploads/img/1.jpg if that 1.jpg is uploaded by some other user.
I'm new to laravel ,Any help is much appreciated. thanks
You could add the following to the .htaccess file in the folder. This might help.
Options -Indexes
You cannot deny the access to the jpg uploaded by another user.
If you are using Apache, you can place a .htaccess file in the folder you want to block. Then you can use deny from all to block all requests to that folder.
This works because a .htaccess file can be in every directory in your web root, and only cares about the directory it is in and its subdirectories.
See this answer.
In htaccess I am blocking directory browsing by using the following code.
# directory browsing
Options All -Indexes
However, I want people to have access to a certain folder, let's say the folder is called pictures, so the folder is at mysite.com/pictures.
How do I give access to that folder/directory, but keep the rest blocked?
Put a .htaccess file into your pictures folder, with this line:
Options Indexes
(or "+Indexes", which is the same.) That should take care of it because child .htaccess files override parents.
From your question it's not clear that you understand the limitations of "Options Indexes". This does not "block" access to a directory; it merely turns off an auto-generated directory listing. Knowing a filename, anyone can still access the resource whether Indexes are enabled or not.
I have an xml file on the server containing details to the database server. I don't want anyone to be able to access it via url but PHP should be able to load the file
Two ways:
Simple move all those kinds of files outside the webroot, for example /application instead of /public_html/myapplication. You only need accessible pages (index.php etc.) inside the webroot.
Or if that's not possible/too hard, add this in .htaccess in the folder that contains the XML file (but it cannot contain files that should be accessible)
.
Order Allow,Deny
Deny from All
you could use .htaccess file: http://httpd.apache.org/docs/1.3/howto/htaccess.html
but, why put it in XML? put it in PHP as variables, then even if they visit the page they won't be able to see it.
I don`t know anything about .htaccess files except how to secure a folder or deny access.
I want to deny direct access to .js files (by typing the file name in url) on my server, say the files are stored in a folder named /js/ how can I use the .htaccess to do that?
You cannot do that.
Actually there is no 'direct access' or 'indirect access'. The browser accesses the JS file the same way when you load it from a SCRIPT tag and when you try to load it separately (typing the file name in browser).
What are the different approaches to securing a directory?
including an index page so contents can't be viewed
the problem with this is that people can still access the files if they know the filename they're after
including an htaccess file to deny all
this seems to be the best approach, but is there any case that an htaccess file can be passed by? are there any cases as well where htaccess is not available?
restricting folder access
this is also a nice solution, but the problem is, the folder I'm trying to secure should be viewable and writable by the program.
Are there any other ways that folder security can be done?
Best practice for Apache is to use htaccess to restrict - this only restricts from the webserver - but that should be what you need. You can add authentication into this - but for most needs to you can just deny all acess - which hides the directory completely.
Another method that can also work well with using htaccess to deny direct access would be to use htaccess in your route directory to rewrite urls. This means that a request such as /example/listItems/username/ted can be rewritten as a call to a php or other file such as:
/application/index.php?module=listItems&username=ted
The advantage of doing this is that the webserver does not give out paths to any directories so it is much more difficult for people to hack around looking for directories.
If you want to protect a directory of images you could also use htaccess to redirect to a different directory so that /images/image5.png is actually a call to :
/application/images/image5.png
You could also try not placing your protected directory under your www dir but on other "non www visible" location. If your app needs to read / write data, tell it to do it on the other location. Modify its properties so only the app has the proper rights to do so.