Laravel 4: how to protect assets folder? - security

I come from CodeIgniter where files/folders are typically protected this way:
.php files
<?php if ( ! defined('BASEPATH')) exit('No direct script access allowed');
index.html files
<html>
<head>
<title>403 Forbidden</title>
</head>
<body>
<p>Directory access is forbidden.</p>
</body>
</html>
I guess can be possible with .htaccess or hard way but, how can be done using Laravel 4? is there a way using its 'standards'?
Edit: Is a project built for shared hosting.
/assets/{css, img, js}
/packages
/system/{app, bootstrap, vendor, index.php, .htaccess, favicon.ico}

You need to make a file .htaccess, after that you need to add the following:
# Disable Directory Browsing
Options All -Indexes

You should set up your application so that everything outside of the initial public directory is outside of your document root. That's one of the reasons why Laravel actually ships with a public directory. Typically most people will symlink this directory to the document root. Anything inside public is, obviously, public. If you'd like your assets directory to be inaccessible you could opt to use htaccess or an index.html file much like how you've described.
If, for whatever reason, you need to shuffle some things around and have your actual application files within your document root then you'll need to implement some form of security if you see the need. This, again, could either be using htaccess or an index.html file. Typically a htaccess approach is simpler. If you wanted to protect the app directory you could drop a .htaccess file in there that looked something like this.
deny from all

I have provided a similar answer to this type of question here: Laravel image gallery logic
In principle - you should store all your assets outside of public - and use PHP readfile() to securely serve them to users as required.

The answer might be a year late, but I thought it might help others who want to tackle something similar.
Check out Kelt Dockins' post here. The Codesleeve Laravel Asset Pipeline would allow you to have your assets folder outside your /public folder, securely.

Related

URL paths work local but not on server

Most of the URL links (css, images, js files etc) in my project are absolute, but these don't work on my server.
I've located the project on my server in a subfolder, so it is going to the root.
How can I change this so the url like /images/background.jpg is going to 123.12.34.56/projectfolder/images/background.jpg instead of 123.12.34.56/images/background.jpg?
I guess it has something to do with Apache config, but I couldn't find it yet...
I'm using Laravel, so maybe there are some laraways to fix this.
Try to take the path url from the root.
If you are using PHP you can use getcwd() function and save it in a variable path root and keep all your URL as relative paths not the absolute paths.
Hope this helps.
what i usually do is create a sub domain (cdn.example.com) and point it to a directory called assets which is in the same level as the public directory. All my js, images, css are in there.
Then in the app.config add a new key value pair 'cdn' => 'http://cdn.example.com'. When i'm adding css or js files i'm using it like this.
<script src="<?php echo Config::get('app.cdn') ?>/js/jquery/1.7.1/jquery.min.js"></script>
Why do this? say if i decide to move my assets to a caching server i can easily do so by moving just the cdn.example.com

Making the Document Root dynamic

I have been searching and looking for the answer to this for SO long now without any joy, I hope someone can help.
Okay I have a web structure of:
Main folder - This is where you first land prior to logging in. After you log in you will be either directed to a number of websites that are resident in a sub-folder called websites. The problem I have is that I would like the document root, say the $_SERVER['DOCUMENT_ROOT'] variable, to default to the root of the website folder that it has been directed to. You see I have a lot of $_SERVER['DOCUMENT_ROOT'] in my php code and I use the '/' slash a lot in the href on my HTML tags.
I have seen that I could accomplish this by adding a .htaccess in the root of eiach website folder but 1, would like work for my situation and 2, could anyone please help me with the code. I understand I can use the RewriteRule command but I can't get my head around it. My folder stricture is like this:
login (index.html)
websites folder
website1 (index.html)
website2 (index.html)
website3 (index.html)
I have tried many versions of using RewriteCond etc but non of them work.
If anyone can help me out here I'd be very grateful.
Thanks
Nothing you can do in your htaccess file that's going to be able to change the document root. One thing that you can do is create separate domains that you can make their document roots point to each of the websites folders. Then proxy to one of those domains.
That way the URL on the browser doesn't change domain names, and internally, you're proxying requests back to yourself and the individual website domains will each have their own document root.

How to prevent website being grabbed by IDM( or anyother webstie grabber)?Is there any way to prevent it?

Using website grabbers whole website with folder structure can be downloaded.
Is there any way to prevent this?
If so,how?
The only way to protect a websites markup is not to publish it. If you want your users to see something they need to get the HTML markup and the images, that should be displayed. And therefore the files need to be accessible. And if your files are accessible every user/bot/crawler/grabber can save these files.
The best way is to put a few files like the index page in the main directory and call the other sub pages in it. If using php then you may do the following.
Say keep the index.php in the main folder and keep the homepage.php in a directory called includes and use the homepage in the index.php via include function in php.
Now add a .htaccess file to the includes folder which must contain
"deny from all"
This way users can use the page but will not have direct access to the files. So will be for the grabber.

.htaccess for CodeIgniter

My CodeIgniter structure :
public/
application/
system/
I don't want anyone to access http://exampble.com/public, allow only the application to access the resource. I tries to create the file .htaccess in directory with the content 'Deny from all', so the user can't access this directory. But my application can't access as well.
How can I solve this problem?
Please give me any idea. Thanks.
From its name, it appears that you're using the 'public' directory to store relevant images and css for your site.
If that is the case, then there's no way you can prevent users from accessing it, unless you don't want to serve images or display styling for your website.
You may however enable what's called hot-link protection which will check for the referrer for each request (not very secure, but thought it might help you out).

Fully securing a directory

What are the different approaches to securing a directory?
including an index page so contents can't be viewed
the problem with this is that people can still access the files if they know the filename they're after
including an htaccess file to deny all
this seems to be the best approach, but is there any case that an htaccess file can be passed by? are there any cases as well where htaccess is not available?
restricting folder access
this is also a nice solution, but the problem is, the folder I'm trying to secure should be viewable and writable by the program.
Are there any other ways that folder security can be done?
Best practice for Apache is to use htaccess to restrict - this only restricts from the webserver - but that should be what you need. You can add authentication into this - but for most needs to you can just deny all acess - which hides the directory completely.
Another method that can also work well with using htaccess to deny direct access would be to use htaccess in your route directory to rewrite urls. This means that a request such as /example/listItems/username/ted can be rewritten as a call to a php or other file such as:
/application/index.php?module=listItems&username=ted
The advantage of doing this is that the webserver does not give out paths to any directories so it is much more difficult for people to hack around looking for directories.
If you want to protect a directory of images you could also use htaccess to redirect to a different directory so that /images/image5.png is actually a call to :
/application/images/image5.png
You could also try not placing your protected directory under your www dir but on other "non www visible" location. If your app needs to read / write data, tell it to do it on the other location. Modify its properties so only the app has the proper rights to do so.

Resources