Prevent user from accessing the uploaded file - .htaccess

I have a module which enable user to upload photos to a certain path like
domain/media/img/uploadedFiles/
I would like to user can upload photo to this location but he cannot reach the uploaded photo by writing
domain.com/media/img/uploadedFiles/filename
I have achieved not to list the files in that path by using .htaccess file but If user knows the name of the uploaded file he can still reach that file.
Thanks

Assuming you're using Apache, you can block access to files in .htaccess too. For example:
<Files private.html>
Order allow,deny
Deny from all
</Files>
To prevent users from accessing any files in the directory, try putting an .htaccess file containing this inside the directory, which sets the default state to deny:
Order Allow,Deny
For more examples of specifying what resources you want to protect, see http://httpd.apache.org/docs/2.2/sections.html
See http://httpd.apache.org/docs/2.2/mod/mod_authz_host.html for more information on access control with Apache.

Related

deny access to directory listing using htaccess

I want to deny access to particular directory to show list of files in it in the browser. For example, If I go to the url, localhost/myproject/assets, it will show all the list of files in it, I want to deny that. And also if logged in user access specific file in it, for ex : localhost/myproject/assets/uploads/img/1.jpg then it should be accessible.
Also how to deny access to a localhost/myproject/assets/uploads/img/1.jpg if that 1.jpg is uploaded by some other user.
I'm new to laravel ,Any help is much appreciated. thanks
You could add the following to the .htaccess file in the folder. This might help.
Options -Indexes
You cannot deny the access to the jpg uploaded by another user.
If you are using Apache, you can place a .htaccess file in the folder you want to block. Then you can use deny from all to block all requests to that folder.
This works because a .htaccess file can be in every directory in your web root, and only cares about the directory it is in and its subdirectories.
See this answer.

How do I provide a local download link to files denied by htaccess

Users who log in to an admin area of a website need to be able to download files that have been previously uploaded by other admins. Public access to these files is not allowed.
The files are held in a directory called uploaded-files and there is a .htaccess in that folder:
<FilesMatch "\.(pdf|doc|docx|ods|xls|xlsx|ppt)$">
Order deny,allow
Deny from all
Allow from localhost
</FilesMatch>
That seems to work ok.. The public can't link to the files. The trouble is that the logged in admins can't link to them either because:
<a href"uploaded-files/abc.pdf">download</a>
gives a 403 forbidden when clicked. So it seems php/html files on the server can't access the files either.
What am I doing wrong? Surely there is an easy way to allow people on the server to download files via a link but still deny access to public?
I've tried keeping the files outside the public_html but I can't provide a link to that location either :(
You should keep these files outside your DOCUMENT_ROOT.
Download links should be via a PHP file e.g. <a href"http://domain.com/download-files.php?file=abc.pdf">download abc.pdf</a>
php code can check for auth part and allowed host etc. If all validations pass then return content of PDF with proper CONTENT type to the browser.

Deny external access to folder

is there a way to deny outside access to my upload directory ?! I don't want users to access my upload directory : www.example.com/uploads
i used .htaccess in the root of my upload folder however all the links were broken
in my .htaccess :
deny from all
any solution ?
If you wish to disable directory listing, simply place 'Options -Indexes' in your htaccess.
You've applied a 'deny from all', which essentially stops ANYONE from accessing files in the directory to which it applies.
Also make sure that 'AllowOverride All' is specified in the vhost definition, otherwise you are unable to override settings via the htaccess file. That is my understanding anyway.
If you wish to disable access to the upload directory, and control which files in specific users can access, I'd recommend going through a script written in a language such as PHP. A user requests a file from the script, the script looks to see if they're allowed to view the file. IF they are, they file is displayed. IF they aren't then it is not.
References
http://www.thesitewizard.com/apache/prevent-directory-listing-htaccess.shtml
http://mathiasbynens.be/notes/apache-allowoverride-all

Securing files and folders with htaccess

I have a couple of files on my server that contains sensitive information. Only the server should be allowed to edit these files, no one else should be able to read/access them. They are stored as .txt.
I've stored them in a separate folder, and added a .htaccess file with:
<Files *>
Deny from all
</Files>
My question is weather it's secure enough to store sensitive information with .htaccess, or if someone can hack it and get access to the files?
Thanks
.htaccess is as secure as you can get, on a server-side basis.
All .ht files by default are un-accessible to the public, so no-one can edit or view the .htaccess file unless they access it through FTP ect. So the .htaccess file is secure as your server is.

How to prevent files settings xml file from being downloaded by entering url but allow php to see

I have an xml file on the server containing details to the database server. I don't want anyone to be able to access it via url but PHP should be able to load the file
Two ways:
Simple move all those kinds of files outside the webroot, for example /application instead of /public_html/myapplication. You only need accessible pages (index.php etc.) inside the webroot.
Or if that's not possible/too hard, add this in .htaccess in the folder that contains the XML file (but it cannot contain files that should be accessible)
.
Order Allow,Deny
Deny from All
you could use .htaccess file: http://httpd.apache.org/docs/1.3/howto/htaccess.html
but, why put it in XML? put it in PHP as variables, then even if they visit the page they won't be able to see it.

Resources