I'm in a development environment and we're using basic .htaccess/.htpasswd authentication to keep lurkers out. But some of my AJAX calls are coming back with HTTP/401 authentication failed errors. Is it possible for me to allow access only to those specific URL's? I can't easily do it by popping a new .htaccess in a subfolder because CodeIgniter uses ReWrites.
It's not possible to allow access only to those specific URL's. Unfortunately, .htaccess and .htpasswd authentication operates on a directory level only. And you're exactly right about why just using a subdirectory won't work - b/c of CI rewrites, which happen AFTER Apache has transferred control to CodeIgniter's index.php front controller.
The easy option, if you're working on something that (1) is not likely to be hacked in the first place, and (2) can't reveal sensitive data even if it is, is to use security via obscurity. Don't have any links to your dev site, include a noindex directive for search engine crawlers, and go on your merry way. This also has the advantage that you can test versions of the site with your colleagues and friends by just telling them the URL to go to.
If you're more worried about security, then you're probably building an auth module for your website's users. In that case, for your dev environment, just call that auth module in the constructor for all of your controllers, and redirect to the login page if the user is not logged in.
Good luck!
Related
Using Codeigniter I want to make my home.php restricted to only registered users but when I try following
http://127.0.0.1/CodeIgniter_2.1.4/application/views/home.php
I get access to home.php(which is in views).
I thought that CI has some restriction for this type of request but its not.So now how can I solve this.
Should I do this in .htaccess?
OR
I should add php code at the top of home.php which will check for valid session data etc.
http://ellislab.com/codeigniter/user-guide/installation/
For the best security, both the system and any application folders
should be placed above web root so that they are not directly
accessible via a browser. By default, .htaccess files are included in
each folder to help prevent direct access, but it is best to remove
them from public access entirely in case the web server configuration
changes or doesn't abide by the .htaccess.
In your application folder make .htaccess with this:
Deny from all
The client wants to make the site (webservice, as he named it), where users can create their own pages, including with JS scripts, etc. I see two ways - using the folders:
http://service.com/user/name/ ...
and subdomains:
http://user.service.com/...
Both paths are not the problem, but the client wants to make it using folders for SEO benefits.
I think if I use folders, it will make the site less secure. For example, user can send AJAX request from its page and the server will respond him. If it was a sub-domain, in accordance with the SOP (Same Origin Policy) request would be rejected. Correct if I'm wrong.
Is it real problem with SOP for folders?
Are there any other security issues for folders?
Is it safer to use subdomains?
Continuing study this issue. As I understood, in case of using folders user also can create page with Black Hat SEO and search Engines will ban my domain. Am I right?
So I can already see 2 security issue in folders and no way to fix it. Are there solutions for it? Are subdomains really more safer or they have other issues?
I am developing a website with CakePHP.
I have an AdminsController for admins to authenticate. However I want create extra security by adding .htaccess password protection.
I tried to do it by adding .htaccess and a .htpasswd files in my Admins view directory since I want the other pages of my site to work normally, but it doesn't work.
So how to add .htaccess and .htpasswd for only a specific view?
In my AdminsControllers's beforeFilter method I've added :
if(env('HTTP_HOST') == 888.888.888.888 || ......),
The list of IP addresses that should be allowed. Can I say that it is safe now?
I think you might want to investigate the other authentication components that CakePHP has to offer. BasicAuthenticate should be of particular interest.
If you go down this route, the authentication will still happen against a userModel rather than a .htpasswd file.
As for the IP restriction, that should be relatively safe. IP spoofing is possible but hard.
I want to implement https on only a selection of my web-pages. I have purchased my SSL certificates etc and got them working. Despite this, due to speed demands i cannot afford to place them on every single page.
Instead i want my server to serve up http or https depending on the page being viewed. An example where this has been done is ‘99designs’
The problem in slightly more detail:
When my visitors first visit my site they only have access to non-sensitive information and therefore i want them to be presented with simple http.
Then once they login they are granted access to more sensitive information, e.g. profile information for which HTTPS is used to deliver.
Despite being logged in, if the user goes back to a non-sensitive page such as the homepage then i want it delivered using HTTP.
One common solution seems to be using the .htaccess file. The problem is that my site is relatively large meaning that to use this would require me to write a rule for every page (several hundred) to determine whether it should be server up using http or https.
And then there is the problem of defining user generated content pages.
Please help,
Many thanks,
David
You've not mentioned anything about the architecture you are using. Assuming that the SSL termination is on the webserver, then you should set up separate virtual hosts with completely seperate and non-overlapping document trees, and for preference, use a path schema which does not overlap (to avoid little accidents).
Supposing you have a form that collects and submits sensitive information and you want to ensure it is never accessed via insecure (non-HTTPS) means, how might you best go about enforcing that policy?
If you're running Apache, you can put a RewriteRule in your .htaccess, like so:
RewriteCond %{HTTPS} "off"
RewriteRule /mypage.html https://example.com/mypage.html
I think the most bullet-proof solution is to keep the code inside your SSL document root only. This will ensure that you (or another developer in the future) can't accidentally link to a non-secure version of the form. If you have the form on both HTTP and HTTPS, you might not even notice if the wrong one gets used inadvertently.
If this isn't doable, then I would take at least two precautions. Do the Apache URL rewriting, and have a check in your code to make sure the session is encrypted - check the HTTP headers.
Take a look at this: http://www.dotnetmonster.com/Uwe/Forum.aspx/asp-net/75369/Enforcing-https
Edit: This shows solutions from an IIS point of view, but you should be able to configure about any web server for this.
In IIS? Go to security settings and hit "Require secure connection". Alternately, you can check the server variables in page load and redirect to the secure page.
I'd suggest looking at the request in the code that renders the form, and if it is not using SSL, issue a redirect to the https URL.
You could also use a rewite rule in Apache to redirect the user.
Or, you could just not serve up the page via HTTP, and keep it only in the document root of your HTTPS site.