For all kinds of reasons, I have a dir inside app/webroot/ that needs protection (/files). I'm not familiar with the inner workings of CakePHP, because I hired someone for this project. This person, however, can not supply an answer. It's also not feasible to move the directory.
What I tried was placing a .htaccess inside the app/webroot/files/ and link to an .htpasswd file outside the the regular file tree. This does not work, I'm getting a 401 error. Placing the .htpasswd inside the same dir doesn't change anything.
From other questions I have gathered that I need to modify the other .htaccess files used by CakePHP, but it's not clear to my how.
The one other question that looks like mine is about protecting the entire webroot dir, which is not what I need.
I also tried securing the files with a PHP download script that checked the session, but somehow that is often failing with my clients, not sure why.
The HTTP 401 status (note: 'status', not 'error') is the 'Unauthorized' status, which is precisely the status you need for unauthorized people.
This sort of suggests to me that the protecting works, but that checking the authorization credentials to allow access fails.
It might help if you post your .htaccess code (leave out any sensitive data of course ;) )
Related
I've been looking around for a good answer to this, but I can't seem to find an answer that really works for me. It's a pretty simple question.
I'd like to restrict users from accessing a specific file like this:
https://www.example.com/styles/homestyles.css
Though I would like homestyles.css to still be accessible by the website. All solutions I have found so far seem to block all access to homestyles.css which causes the website to load with no styling.
I've tried using Options -Indexes in my .htaccess file, which returns a 403 error when the user tries to access https://www.example.com/styles, though files inside the /styles directory are still accessible.
What is the best way to do this using .htaccess?
I've made a site 1 year ago using php, when I had alot less experience. My teacher and I were analysing the code today and there seems to be a security issue. He wants me to fix it before he gives me the points I need.
I've got an index.php and an edit.php file in the root directory, and a login page in /php/login.php (which I find to be a very silly place to put a login file in, now that I look back on it, I would probably swap edit.php's and login.php's directory's if I were to rewrite my site).
Basically, I want these three files to be accessible externally. I want all other php files to be restricted from the outside, so it's impossible to do an ajax call to /php/phpsavefile.php from outside the system (which is the security issue I mentioned). edit.php makes the ajax call to /php/savefile.php.
I think this is what I need to get the job done:
Order Deny,Allow
Deny from all
Allow from 127.0.0.1
<Files /index.php>
Order Allow,Deny
Allow from all
</Files>
But how can I add three files instead of just one after <Files and before >?
I've also tried second approach:
Order Deny,Allow
Deny from all
This doesn't seem to work because an ajax call appears to be a regular http request as well, so it gets a 403 response.
Another approach I tried was putting the restricted php files inside a map called "private"
in the same folder where "httpdocs" remains (the parent folder of webroot). My teacher had told me about an admin folder, that no one can access but the site itsself. I tried including the restricted php files inside the private folder, but it didn't seem to include it properly...
Any help or tips for this novice at .htaccess would be appreciated :-)
Edit:
.htaccess allow access to files only from includes
Ray's comment said:
Of course, because they are requested by the client. You can't "allow the client" and "not allow the client" to serve files.
I suppose this is true, but how can I prevent people from calling my ajax file?
I secured it by checking if the user was logged in.
I have my .htaccess file, and I have a folder with config files in there, and they contain sensitive content, e.g. database details etc. What I would like to know is, how can I block access from a browser, but allow them to be accessed via my scripts?
I know that this can be achieved inside the PHP files themselves, but I'd rather use the .htaccess approach where possible.
Is this actually able to be done? I've attempted it before, but in the process of denying access to the file from the browser, it also denied access from the coding.
I have looked into this before, and some of the answers I came across suggested changing the extension to something like .inc, and then denying access to that. However, a couple of issues I have with that is that a) It instantly alerts anyone that can see that filename, for whatever reason, that it is a config file. Also, b) If my denial code breaks, browsers will not parse it as a PHP file, but rather an inc file, meaning it will print the code in the browser.
Basically, can this be done within a .htaccess file, or do I need to put something in the header of every config file?
Put these files outside of your web server's document root.
You can still access them via your server-side scripts, but this ensures no direct access to them from the outside world.
The conventional advice is to place such files "outside of your web server's document root". This is all well and good, but many shared hosting offerings only give write access to your public_html directory.
I use a simple convention: any private content (that is not URI addressable) is prefixed by an underscore or in a directory that's name is prefixed with an underscore (eg. _private or _include). I then include this rewrite rule in my DOCROOT .htaccess file:
# if a forbidden directory or file name (starting with a . or /)
# then raise 404 Fatal return
RewriteRule (^|/)[_.] - [F]
Remember that you'll need to prefix with a RewriteEngine On and/or include this at the top of any .htaccess file with the engine enabled.
Note that the "." prefix picks up files such as .htaccess.
Please use a framework, these kind of issues just doesn't need to exist. If you insist though, write a .htaccess to redirect every request to a single index.php in the root directory, which then have more logic to determine whether or not the request is for a valid file and include them, otherwise generate 404 or 403. If you need performance for static files, then use RewriteCond to exclude specific directories or file type from the index.php check.
I created/edited a .htaccess file and I got my site password protected fine. Question though: Is there such thing as a URL key? Maybe I'm wording that incorrectly, but I would like to keep my site hidden, but be able to send out a specific URL that can view the site. What's the best way to accomplish this?
Thanks in advance.
If doing as Greg suggests and putting it in a folder isn't good enough for you, you could set the .htaccess to rewrite all url's to a php file (or whatever language you are using) and it checks some sort of database (or xml file or whatever format you want) for a key or parameter in the URL, and if its not there it can return a 404 in the header. That way unless they guess the url exactly it will return a 404 like there's nothing there.
And be sure to turn virtual directory listings off too.
Simply put your site in a directory that's using a "secret" name:
http://example.com/opensesame/
If you don't link to that, then it will be "hidden" unless you give out the URL.
Naturally, this doesn't protect against other people publishing your "secret" URL and linking to your site anyway.
What are the different approaches to securing a directory?
including an index page so contents can't be viewed
the problem with this is that people can still access the files if they know the filename they're after
including an htaccess file to deny all
this seems to be the best approach, but is there any case that an htaccess file can be passed by? are there any cases as well where htaccess is not available?
restricting folder access
this is also a nice solution, but the problem is, the folder I'm trying to secure should be viewable and writable by the program.
Are there any other ways that folder security can be done?
Best practice for Apache is to use htaccess to restrict - this only restricts from the webserver - but that should be what you need. You can add authentication into this - but for most needs to you can just deny all acess - which hides the directory completely.
Another method that can also work well with using htaccess to deny direct access would be to use htaccess in your route directory to rewrite urls. This means that a request such as /example/listItems/username/ted can be rewritten as a call to a php or other file such as:
/application/index.php?module=listItems&username=ted
The advantage of doing this is that the webserver does not give out paths to any directories so it is much more difficult for people to hack around looking for directories.
If you want to protect a directory of images you could also use htaccess to redirect to a different directory so that /images/image5.png is actually a call to :
/application/images/image5.png
You could also try not placing your protected directory under your www dir but on other "non www visible" location. If your app needs to read / write data, tell it to do it on the other location. Modify its properties so only the app has the proper rights to do so.