Fully securing a directory - security

What are the different approaches to securing a directory?
including an index page so contents can't be viewed
the problem with this is that people can still access the files if they know the filename they're after
including an htaccess file to deny all
this seems to be the best approach, but is there any case that an htaccess file can be passed by? are there any cases as well where htaccess is not available?
restricting folder access
this is also a nice solution, but the problem is, the folder I'm trying to secure should be viewable and writable by the program.
Are there any other ways that folder security can be done?

Best practice for Apache is to use htaccess to restrict - this only restricts from the webserver - but that should be what you need. You can add authentication into this - but for most needs to you can just deny all acess - which hides the directory completely.
Another method that can also work well with using htaccess to deny direct access would be to use htaccess in your route directory to rewrite urls. This means that a request such as /example/listItems/username/ted can be rewritten as a call to a php or other file such as:
/application/index.php?module=listItems&username=ted
The advantage of doing this is that the webserver does not give out paths to any directories so it is much more difficult for people to hack around looking for directories.
If you want to protect a directory of images you could also use htaccess to redirect to a different directory so that /images/image5.png is actually a call to :
/application/images/image5.png

You could also try not placing your protected directory under your www dir but on other "non www visible" location. If your app needs to read / write data, tell it to do it on the other location. Modify its properties so only the app has the proper rights to do so.

Related

Mod_Rewrite Reverse Url Structure

I wonder is it possible to learn the url structure which is written with mode_rewrite. For example, the url that I have is http://somesite.com/topic-header and there must be a kind of somesite.com?id=123 or somesite.com?title=topic-header. Is there any way to detect that?
Only if you have access to the folder in which the .htaccess file resides (or in the apache configuration files, albeit less used).
It's also common knowledge to redirect any links that are not found on the filesystem to index.php, wordpress does this for example.

How to restrict access to views in Codeigniter?

Using Codeigniter I want to make my home.php restricted to only registered users but when I try following
http://127.0.0.1/CodeIgniter_2.1.4/application/views/home.php
I get access to home.php(which is in views).
I thought that CI has some restriction for this type of request but its not.So now how can I solve this.
Should I do this in .htaccess?
OR
I should add php code at the top of home.php which will check for valid session data etc.
http://ellislab.com/codeigniter/user-guide/installation/
For the best security, both the system and any application folders
should be placed above web root so that they are not directly
accessible via a browser. By default, .htaccess files are included in
each folder to help prevent direct access, but it is best to remove
them from public access entirely in case the web server configuration
changes or doesn't abide by the .htaccess.
In your application folder make .htaccess with this:
Deny from all

Allow file access from code, but block from browser?

I have my .htaccess file, and I have a folder with config files in there, and they contain sensitive content, e.g. database details etc. What I would like to know is, how can I block access from a browser, but allow them to be accessed via my scripts?
I know that this can be achieved inside the PHP files themselves, but I'd rather use the .htaccess approach where possible.
Is this actually able to be done? I've attempted it before, but in the process of denying access to the file from the browser, it also denied access from the coding.
I have looked into this before, and some of the answers I came across suggested changing the extension to something like .inc, and then denying access to that. However, a couple of issues I have with that is that a) It instantly alerts anyone that can see that filename, for whatever reason, that it is a config file. Also, b) If my denial code breaks, browsers will not parse it as a PHP file, but rather an inc file, meaning it will print the code in the browser.
Basically, can this be done within a .htaccess file, or do I need to put something in the header of every config file?
Put these files outside of your web server's document root.
You can still access them via your server-side scripts, but this ensures no direct access to them from the outside world.
The conventional advice is to place such files "outside of your web server's document root". This is all well and good, but many shared hosting offerings only give write access to your public_html directory.
I use a simple convention: any private content (that is not URI addressable) is prefixed by an underscore or in a directory that's name is prefixed with an underscore (eg. _private or _include). I then include this rewrite rule in my DOCROOT .htaccess file:
# if a forbidden directory or file name (starting with a . or /)
# then raise 404 Fatal return
RewriteRule (^|/)[_.] - [F]
Remember that you'll need to prefix with a RewriteEngine On and/or include this at the top of any .htaccess file with the engine enabled.
Note that the "." prefix picks up files such as .htaccess.
Please use a framework, these kind of issues just doesn't need to exist. If you insist though, write a .htaccess to redirect every request to a single index.php in the root directory, which then have more logic to determine whether or not the request is for a valid file and include them, otherwise generate 404 or 403. If you need performance for static files, then use RewriteCond to exclude specific directories or file type from the index.php check.

.htaccess for CodeIgniter

My CodeIgniter structure :
public/
application/
system/
I don't want anyone to access http://exampble.com/public, allow only the application to access the resource. I tries to create the file .htaccess in directory with the content 'Deny from all', so the user can't access this directory. But my application can't access as well.
How can I solve this problem?
Please give me any idea. Thanks.
From its name, it appears that you're using the 'public' directory to store relevant images and css for your site.
If that is the case, then there's no way you can prevent users from accessing it, unless you don't want to serve images or display styling for your website.
You may however enable what's called hot-link protection which will check for the referrer for each request (not very secure, but thought it might help you out).

apache - smart way to protect and hide admin folder? robots.txt? .htaccess? Anything else or better?

How do I protect and hide /adminblah/ folder from robots and from users so the only the administrator will know it exists?
1) To prohibit it from robots and bots, we can use robots.txt file.
But, that file will contain Disallow: /adminblah/ then. As result, everybody (who wants to) will know the path to the administrator's folder because he can read robots.txt file.
For that purpose, we can put .htaccess file to the /adminblah/ to password protect that folder.
Is that smart? Any smarter solutions to limit access to /adminblah/index.php page?
This question concerns all the content - admin php files, admin pictures etc.
Mentionning the directory in robots.txt is not a solution since it's worse than doing nothing as you say it yourself.
.htaccess protection is a very good option alone ; add it at the root of /adminblah/ and even IF someone guesses it (including robots) they'll get nothing.
Using a robots.txt to hide a directory from search engines is nothing more than security through obscurity. You must have proper access controls on the content and a .htaccess file is perfect for this.
I like to do things like this
RedirectMatch permanent (?i)adminblah http://www.fbi.gov

Resources