In my project I have a folder called library. the folder contains essential scripts that other php files call from so I am trying to secure this folder so that no body would be able to access the directory from the url.
But I dont know how to do this. The project was built from scratch I did not use any mvc framework.
So I am left to secure myself.
Thanks for reading.
Jump to PostIf you are using a Linux server, you can set the access to the folder to 400 to limit it to reading by the system.
Jump to PostDisable Indexing is also a good step if you're running Apache. This shall throw out a 403 if anyone attempts to access folders.
Jump to PostDisabling Indexing alone does not disable access to the files (assuming they can guess the filenames).
If you are using a Linux server, you can set the access to the folder to 400 to limit it to reading by the system.
Disable Indexing is also a good step if you're running Apache. This shall throw out a 403 if anyone attempts to access folders.
tans alot. How do I disable indexing on apache
You need to edit your host files, in Apache2 it is normally (although not always) found in your sites-enabled folder.
apache2 > sites-enabled > 000-default
Edit this file, and where it says:
<Directory /var/www/>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>
Change this to:
<Directory /var/www/>
Options FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>
add this in your htaccess file: Options -Indexes
would i place the .htaccess in that directory that I want to protect
Disabling Indexing alone does not disable access to the files (assuming they can guess the filenames).
@skliz
yes, add the htaccess file to root directory of your project
@pritaeas
yes, that was for disabling indexing, yet still can access to files if they can guess the names...
also here is if you want to disable direct execution of php files
RewriteCond %{THE_REQUEST} (.).php
RewriteRule ^(.).php - [F,L]
Since it's a library directory another solution is to .htaccess:
Order allow,deny
deny from all
this will return 403 Forbidden to any direct web access, but the files will still be available for include(), require() and require_once().
One non-Apache way to secure files from direct access would be to apply a CONSTANT in the main file, which all included files must check for in order to run, e.g.
define("INCLUDED_ALLOWED", true);
if(defined("INCLUDED_ALLOWED")){
//...code...
}else{
//trigger a 404?
}
Granted, this will not protect files other than included php files, but are you looking for other types of files to protect? It's not as elegant as an apache solution though IMO.
We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.