To secure my site I placed blank htmls along with an htaccess file in every subdirectory but I didn't realize the denying all access would also mean denying access from the website itself. When I try to load a page, and it goes into the Images folder, the server responds with:
Failed to load resource: the server responded with a status of 403 (Forbidden)
So how do I change this htaccess code:
order allow,deny
deny from all
Options All -Indexes
To deny access to everything outside of the website, meaning the website itself can access its own content (images, js, css) but no one outside can.
You've already accomplished your stated goal, but obviously that's not really what you're after. Basically everybody that browses to your site is coming from outside and requesting assets from your server. When I request index.html, or any other page from your server, it doesn't send me a complete package as it were, with all of the page's assets wrapped up inside, it just sends me the text that comprises index.html. At that point the browser parses that and handles it accordingy; when it comes across an image tag that has a src on your server, it fires off a new request for that asset, and hopefully your server sends it back in response. [Yes, I realize that was all ridiculously simplified.]
As you've got things set up now, you're denying access to anybody and everybody that requests any assets from your server, which is why you're getting the 403 responses. So whatever it is you actually want to do is going to require a more tightly focused approach. I'll take a stab at it and guess that what you really want to do is prevent people from hot-linking your images?
Related
i have some problem with .htaccess file.
For prevent download or print of pdf documents , i am using PDF.js for reading contents.
Now i want to disable direct http connection to those files.
Inside the pdf.js folders, i put a directory called "doc", that contains all items and this .htaccess:
Order allow,deny
Deny from all
<Files ~ "viewer\.html$">
Allow from all
</Files>
Where viewer.html is the page that contains the documents reader.
So, when i try access from my browser to
localhost:8080/test/pdfjs/web/viewer.html?file=doc/mondia.pdf
i get:
Unexpected server response (403) while retrieving PDF "../test/pdfjs/web/mondia.pdf"
Where i am wrong?
If PDF.js is running inside the user's web browser, then the user needs to be able to download the PDF document. Apache can't (reliably) tell the difference between "PDF.js on the user's computer" and "Google Chrome on the user's computer" - both are HTTP requests from the user's computer for the resource.
If you really wanted to, you might be able to detect some header set by PDF.js when it requests the PDF, and refuse requests without that header. That would stop casual users directly accessing the file, but anyone who presses F12 in their browser could see the PDF being downloaded by PDF.js and save the contents from there.
Even if you served it in some form other than PDF, the user could copy and paste the resulting HTML, or take a screenshot of how it renders to the screen.
Stopping a user doing something with their own computer is fundamentally hard; if they can read something on their screen, you have sent it to them in some form. To really block them, you need a trusted "DRM" encryption system that renders directly to screen without ever making decrypted data accessible to the user. In the vast majority of cases, that would be completely overkill, and just annoy your users (for instance, blind users probably won't be able to access the content, as their screen reader software will not be trusted).
You can try with this plugin
https://it.wordpress.org/plugins/editionguard-for-woocommerce-ebook-sales-with-drm/#description
or similar,
DRM is the best solution for wordpress site.
Or try with this header in pdf-js
How to set range header from client with pdf.js?
Please edit the .htacess file present in Vtiger_root_location/storage
add 'pdf' option as follows:
I have recently launched a website on GoDaddy hosting. I have keept some images and JavaScript files used in website, in separate folders. I want to prevent the users from browsing those images and files by simply appending the folder and file name in the website URL. For example
www.example.com/images/logo.png
If I understand correctly, you want to have html file with images, that shouldn't be accessible alone? If yes, then it cannot be done. You can watch for correct HTTP Referrer header, but it can be simply faked and it also makes it inaccessible for browsers that don't send referrer or having sending it forbidden for "privacy" reasons.
If you want hide files to be accessible only by server side scripts, ftp/scp, then you can try to use .htaccess (if GoDaddy runs on Apache) and correct configuration: https://httpd.apache.org/docs/2.2/howto/access.html
Another way could be hiding that files and creating one-shot token like this:
<img src=<?pseudocode GEN_TOKEN("file.jpg") ?> /> with another file serving these hidden files just for generated token, then deleting it from DB. Nevertheless, this will not protect anybody from downloading or accessing these files, if they want...
But, anyway, try to clarify your question better...
If you are keeping images/files in folder which is open to public, I guess you kept in that folder for purpose, you want public to access those images and files.
How public know images file name? Stop file content listing for your web site.
I am not aware which language you are using on web server, but in ASP.NET you may write module/ middle ware which can intercept in coming request and based on your logic (e.g. authentication and authorization) you can restrict access. All modern languages support this kind of functionality.
As per the guidelines to speed up site, I have off-loaded all my static content (JS|CSS|IMAGES) to a subdomain static.example.com.
The site is working fine but the problem arises when I load the secure pages. Browser throws a warnings for "InsecureContent" being loaded into my page.
We have ssl for only root domain not subdomain. I can't get another one but want to handle it this way. As the subdomain folder can be accessed inside the root folder i want this.
I want to handle this with .htaccess this way ->
When referer is https ://www.example.com/anything.php
Rewrite http ://static.example.com/folder/file.ex to https ://www.example.com/static/folder/file.ex
Somebody help me doing this.
Not going to help at all. In order for anything inside an htaccess file to get processed, the request has to have been received by the webserver. When your browser pops up the "Insecure Content" warning, it hasn't sent the request yet. This warning pops up when negotiating the SSL connection, and in your case, your cert doesn't cover the domain the request is being made to. That means adding any sort of redirect on the server's end isn't going to help. You're still going to see the warning.
You need to ensure that your content points to http://static.example.com/ somehow, by either using a relative URI base or maybe absolute URLs that explicitly point to http://.
Another option may be to use some kind of javascript on the client side.
Since 1st Oct is coming. I am working on Secure Canvas URL stuff.
My canvas url is like canvas.example.com. I can make this domain and server SSL ready without a problem.
My question is, should every http request made by canvas.example.com also change to https?
e.g. I import some JS, CSS, images from cdn.example.com to my canvas page, should i configure cdn.example.com alos can be accessed via https, or I can just leave this domain alone, still use http to get those content?
thank you very much.
You should make all content served over https or the browser will show warnings.
Facebook policies clearly mention that all the Page Tabs and iFrame Applications shal have an SSL certificate..
Any external content like images and JS included on your site shall also come from secured hostings hence the Https:// else your shall not be complying to FB Policies..
Gives the fact that FB has been very strict on punishing defaulters i dont think any app developer can take risk ..
how can i stop accessing my website content [like image,swf,pages etc.] from other domain?
suppose my server has a myflash.swf file in my server with live url http://www.mydomain.com/flash/myflash.swf . i want this flash can't be accased by any other domain using the live url. is it possable?
thanks in advance.
If its HotLinking that you wish to disable, these links may help you:
Htaccess Disable Hotlinking Code Generator
Disable Hot-Linking of images and other files
There is a HTTP header called referrer. It usually contains the site which request your swf to download.
When the Referrer value matches your domain name name, you can serve the content. Otherwise reject it.