0

In my project I have a folder called library. the folder contains essential scripts that other php files call from so I am trying to secure this folder so that no body would be able to access the directory from the url.

But I dont know how to do this. The project was built from scratch I did not use any mvc framework.

So I am left to secure myself.

Thanks for reading.

7
Contributors
10
Replies
42
Views
4 Years
Discussion Span
Last Post by diafol
Featured Replies
  • 1

    Disabling Indexing alone does not disable access to the files (assuming they can guess the filenames). Read More

1

If you are using a Linux server, you can set the access to the folder to 400 to limit it to reading by the system.

0

Disable Indexing is also a good step if you're running Apache. This shall throw out a 403 if anyone attempts to access folders.

0

You need to edit your host files, in Apache2 it is normally (although not always) found in your sites-enabled folder.

apache2 > sites-enabled > 000-default

Edit this file, and where it says:

<Directory /var/www/>
       Options Indexes FollowSymLinks MultiViews
        AllowOverride None
        Order allow,deny
        allow from all
 </Directory>

Change this to:

<Directory /var/www/>
       Options FollowSymLinks MultiViews
        AllowOverride None
        Order allow,deny
        allow from all
 </Directory>
0

would i place the .htaccess in that directory that I want to protect

1

Disabling Indexing alone does not disable access to the files (assuming they can guess the filenames).

0

@skliz
yes, add the htaccess file to root directory of your project

@pritaeas
yes, that was for disabling indexing, yet still can access to files if they can guess the names...

also here is if you want to disable direct execution of php files

RewriteCond %{THE_REQUEST} (.).php
RewriteRule ^(.
).php - [F,L]

0

Since it's a library directory another solution is to .htaccess:

Order allow,deny
deny from all

this will return 403 Forbidden to any direct web access, but the files will still be available for include(), require() and require_once().

0

One non-Apache way to secure files from direct access would be to apply a CONSTANT in the main file, which all included files must check for in order to run, e.g.

main.php

define("INCLUDED_ALLOWED", true);

include1.php

if(defined("INCLUDED_ALLOWED")){
    //...code...
}else{
    //trigger a 404?
}

Granted, this will not protect files other than included php files, but are you looking for other types of files to protect? It's not as elegant as an apache solution though IMO.

Edited by diafol

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.